Session-based authentication is the traditional model and continues to be widely employed in classic web applications. A session ID is transmitted to the client via cookies. This method is effective when a single backend controls everything and can manage state.
However, when clients are external services rather than individuals, managing sessions becomes impractical. Machines require a means to communicate with each other using API keys, which serve as static strings that function like passwords between machines. Unfortunately, this approach lacks mechanisms for expiration or revocation.
As applications evolved to become more distributed and stateless, the need for JSON Web Tokens (JWT) emerged to address new challenges. JWTs are signed tokens issued by a server after a user successfully logs in, eliminating the need for server-side storage; the server can verify the token’s signature and the identity of the user, similar to a notarized document. It is important to note that JWT is not a login method itself but rather a token format used to carry identity post-login.
OAuth further enhances this scenario by allowing users to grant another application access to their data without revealing their passwords. While it does not replace traditional login methods, OAuth serves as a framework for delegated access. When utilizing features such as “Login with Google” or connecting an application to Dropbox, OAuth facilitates these interactions. The external provider, such as Google or GitHub, manages authentication and subsequently issues a token—often a JWT or an opaque token—to the third-party application. This arrangement enables secure collaboration between applications without the need to duplicate credentials.
In addition to these flows, security best practices advocate for a secondary layer of protection: Multi-Factor Authentication (MFA). After a user logs in with a password, they are prompted to verify their identity once more, utilizing a code sent via SMS, an app-generated code, or even a fingerprint. MFA significantly strengthens security, making it considerably more challenging for an attacker to impersonate a user, even in the event that they obtain the password.