Authentication
Authentication is the process of verifying that an entity — such as a user of a website — is who they claim to be. You'll most likely need to think about authentication if you want users to sign into your website.
If users can log into your website, there are typically things logged-in users can do, or data they can access, that you don't want to make generally available. For example, logged-in users might be able to:
- Make use of a service they have paid for
- Spend money
- Access private personal or corporate information
- Interact socially with others in the persona associated with the account
All these abilities, and more, make user account access an important target for attackers. If an attacker is able to sign into your site by pretending to be a legitimate user, the attacker could access and exploit, for example, the user's private data, financial credentials, or confidental corporate secrets. They could also impersonate the user on your site, causing reputational and potentially financial damage.
In this set of guides we'll looks at the main techniques available for authenticating users on the web, and good practices for them.
Authentication methods
In this set of guides we'll describe the following authentication systems. Each system might be deployed on its own or might be combined with others, either to give users a choice about which one they want to use, or to implement a multi-factor authentication system.
- Passwords
-
A password is a relatively long-lasting secret presented by the user to the website when they need to log in. The website compares the password with a securely stored transformation of it, and logs the user in if they match. Passwords have many well-known security weaknesses, and in this article we'll explain the best practices to minimise them.
- One-time passwords (OTP)
-
A one-time password is a code generated by the website that is specific to a single login attempt. The website either sends the code to the user in a separate channel, such as an email, or the user's device independently generates the code. The user then enters the code on the site to log in.
- Federated identity
-
In most authentication systems there are two parties: the user, and the website they are trying to log into. In a federated system there is a third party, which is called an identity provider. When the user wants to sign into the website, the website asks the identity provider to identify the user, and if the identification is successful, logs the user in.
- Passkeys
-
Passkeys enable websites to authenticate users without the user having to enter any passwords or other secret codes on the site itself.
In a system that uses passkeys, the user's device stores a cryptographic key pair representing the user's registration on a particular site. When the user tries to log into the site, the site sends the device a challenge. The device signs the challenge with the private key and sends the result to the website, which can verify the signature and log the user in.
Passkeys are implemented using the Web Authentication API.
Session management
After a website has authenticated a user, the website will typically want to keep this user signed in without the need to reauthenticate, either for a limited time or even indefinitely until the user signs out. Websites typically accomplish this by setting a cookie that contains a secret session identifier, or using a cryptographically signed object such as a JWT.
In our session management guide, we outline session management best practices.