Skip to main content
banner image
venafi logo

What Is Token-Based Authentication?

What Is Token-Based Authentication?

February 8, 2021 | Anastasios Arampatzis

With businesses adopting a plethora of cloud-based platforms and apps, authenticating people and machines to access these services can be a real burden. Relying on traditional, static passwords or secrets is no longer adequate for securing access to sensitive data and resources.

It is time to invest in new authentication mechanisms. Just like metal keys and locks are being replaced by access cards that employees receive once their identity has been validated and their access permissions determined, token-based authentication allows access to services and resources once the requestor’s identity has been authenticated.

What is token-based authentication?

To mitigate the weaknesses and risks of password-based authentication, many methods have been developed. While each authentication method is unique, all fall under one of the following three categories: knowledge (something you know), inheritance (something you are), and possession (something you own).

Password authentication falls within the knowledge category because users rely on a word or phrase they have created and are aware of to verify their identity. On the other hand, authentication using biometrics, such as fingerprints, is an example of “something you are” due to its use of biological traits. Finally, token-based authentication belongs in the possession category.

Token authentication requires users to obtain a computer-generated code, known as token, before they are granted access to a network or a resource. Token-based authentication is usually used in combination with password authentication as part of a two-factor authentication (2FA).

How does it work?

There are two forms of tokens, hardware and software. Whatever their form, tokens are employed to ensure every request to a server is verified, similar to how passwords allow users to log into a service but offering a superb user experience. Users are not required to memorize any passwords. With the plethora of apps and services requiring access authentication, logging in with passwords leads to password fatigue.

Hardware or physical tokens are usually inserted into a USB port. The system then compares the information provided by the token with the details stored on its database and, if it is correct, the user is authorized to access the system.

On the other hand, modern web applications typically use software tokens, known as JSON web tokens (JWTs) to authenticate their users. JWTs are encoded as JSON objects and operate within an open standard for securely transmitting information between parties. In practice, user data is encrypted by an identity provider into a JWT. The service provider then stores this encrypted data and uses it to confirm the user identity in every subsequent request. This ensures that criminals cannot access user data—which is held by the identity provider—in the event of a breach to the service provider.

While these traditional token authentication systems are still in effect today, the rise of smartphones has made token-based authentication easier than ever, transforming smartphones to mobile-as-a-token authentication mechanisms. Smartphones serve as code generators, providing end users with the security tokens necessary to gain access to their network at any given time. As part of the login process, users receive a cryptographically secure one-time-passcode (OTP token) which expires after 30 or 60 seconds, depending on the settings at the server end. These OTP tokens are generated either by an authenticator app on the device or sent on demand via SMS.

The token-based authentication process

When using an authentication based system, your users will only need to verify their identity once and then are allowed access to the system for an allotted time frame. Here’s how that process works:

  1. The user requests service or access to the system
  2. The server determines if the user is verified to enter the system and can be trusted to use it.
  3. When the user is verified, the system issues a token to the user which allows the user access to the system.
  4. The token is then stored in the user's browser while the user is working with the system.
Benefits of token-based authentication

The key advantage of token-based authentication is that it removes reliance on weak login credentials. It can help organizations move towards a passwordless approach to identity and access management (IAM) by offering a strong multi-factor authentication factor that can complement biometrics, push notifications, and more.

Token-based authentication is particularly beneficial to mobile apps and platform-as-a-service (PaaS) applications. It simplifies the process of securing access to on-premise or cloud-based applications and enables organizations to actively adopt digital transformation initiatives by securely sharing their information through APIs with a wide range of customers, partners and suppliers beyond the traditional corporate perimeter.

Except for these important benefits, the use of tokens comes with many advantages such as:

  • Tokens are stateless. The token is self-contained and contains all the information required for authentication. This is great for scalability as it removes the burden from the server to store session state.
  • Tokens can be generated from anywhere. Token generation is decoupled from token verification allowing you the option to handle the signing of tokens on a separate server or even through a different company.
  • Fine-grained access control. Within the token payload you can easily specify user roles and permissions as well as resources that the user can access, providing a seamless user authentication experience.
How secure is token-based authentication?

Password authentication is no longer enough to contain attackers from breaking into corporate networks. Compromised or stolen credentials because of brute force attacks, dictionary attacks, or phishing campaigns are the preferred attack vector used by malicious actors.

Token-based authentication, when used in tandem with other authentication mechanisms, creates an extra obstacle for the criminals to overcome. Since tokens can only be stolen from the generator device—whether a USB key or a smartphone—token-based authorization methods are considered highly secure and effective.

Despite the many advantages token-based authentication presents, they are not immune to security risks. For example, sending OTP tokens through SMS are not a best practice, since these tokens are susceptible to SIM swapping attacks and could be intercepted or compromised during transmission. For this reason, it is highly advisable to use authenticator apps for generating OTP tokens. Even then, there is always the danger of losing the smartphone of the USB key. A stolen token together with a compromised password can be the key to all your secrets, leaving your organization vulnerable to the criminals’ malicious intentions.

Best practices for managing tokens

Implementing a robust and effective authentication strategy is the key to protecting critical corporate assets from data breaches or security incidents. For the strategy to truly be effective, adoption and adherence to identity and credential protection best practices is required. Here are a few factors to consider when deploying a token-based authentication strategy:

  • Select the right token. With so many available options to choose from, selecting the right token-based authentication method is an exercise that should consider factors like business environment, security, scalability, user experience, and cost of ownership.
  • Keep it private. A token should be treated the same way user credentials are. Protecting the security and integrity of your tokens is the cornerstone of an effective IAM strategy. Stolen or compromised tokens act like Trojan Horses.
  • Set an expiration date. Technically, once a token is signed, it is valid forever, unless the signing key is changed, or expiration is explicitly set. To avoid authentication issues due to expired tokens, organizations should have policies and automated solutions for monitoring these credentials and revoking tokens.
  • Leverage HTTPS connections. HTTPS connections leverage encryption and security certifications to protect sensitive data. It is important to use HTTPS when sending tokens to avoid being intercepted.

The use of passwords or static secrets to authenticate users or machines accessing corporate resources is not adequate for modern enterprises migrating to hybrid environments. Organizations should adopt multi-factor authentication mechanisms while developing passwordless initiatives. Token-based authentication is the right approach towards providing a robust, efficient and effective Identity and Access Management (IAM) policy. However, as with every credential, tokens and their signing keys must be protected adequately to avoid compromise. Venafi offers the most reliable certificate and machine identity management platform. Learn more here.

Related Posts

Like this blog? We think you will love this.
image representing big data
Featured Blog

Le chiffrement homomorphe : Définition et utilisation

Qu'est-ce que le chiffrement homomorphe ? Le

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more