Authentication Basics
Authentication Basics
Learn how applications verify user identity using login credentials, passwords, OTPs, MFA, sessions, tokens, and secure authentication practices.
Introduction
Authentication is one of the most important concepts in secure programming.
Authentication means verifying the identity of a user, device, application, or system before allowing access.
For example, when a user enters an email and password to log in, the application checks whether the provided information matches a valid account. If the information is correct, the user is authenticated.
Authentication is the first step in protecting user accounts, private data, admin features, financial records, student records, and business systems.
Easy Real-Life Example
Authentication as Showing an ID Card
Imagine entering an office building. At the gate, the security guard asks for your ID card. The guard checks whether the ID belongs to you and whether it is valid.
Office Security:
Show ID card
Security checks identity
If valid, entry is allowed
Software Authentication:
Enter username and password
System checks credentials
If valid, login is allowed
Authentication is like identity verification at the entrance of a secure place.
What is Authentication?
Authentication is the process of confirming that someone or something is truly who it claims to be.
In software applications, authentication commonly happens through credentials such as:
Common Authentication Credentials
- Username and password.
- Email and password.
- One-Time Password, also called OTP.
- Authentication app code.
- Security token.
- Biometric verification such as fingerprint or face recognition.
- Single Sign-On through a trusted identity provider.
Why Authentication is Important
Without authentication, anyone could access private features or sensitive information.
Authentication protects applications by making sure that only verified users can enter the system.
Authentication Helps To
- Protect user accounts.
- Prevent unauthorized access.
- Protect private data.
- Support secure login systems.
- Identify who is using the application.
- Enable personalized user experiences.
- Support auditing and accountability.
- Reduce identity-related security risks.
What Can Go Wrong Without Authentication?
If an application does not authenticate users properly, attackers or unauthorized users may access features that should be protected.
Weak or Missing Authentication
- Anyone may access private pages.
- User accounts may be misused.
- Sensitive data may be exposed.
- Admin features may be accessed by unauthorized users.
- Fake identity may be accepted.
- Attackers may attempt repeated login guesses.
- Sessions may be hijacked if poorly managed.
Strong Authentication
- Only verified users can log in.
- Account access is controlled.
- Login attempts can be monitored.
- Additional verification can be added using MFA.
- Sessions can be managed safely.
- User identity becomes more trustworthy.
- Security and accountability improve.
Authentication vs Authorization
Authentication and authorization are related, but they are not the same.
| Authentication | Authorization |
|---|---|
| Verifies identity. | Checks permission. |
| Answers: Who are you? | Answers: What are you allowed to do? |
| Usually happens during login. | Happens after authentication. |
| Example: User enters password. | Example: Admin can delete records, student cannot. |
Basic Authentication Flow
A typical login-based authentication flow follows these steps:
1. User enters login details.
2. Application receives the credentials.
3. Application validates the input.
4. Application checks credentials against stored account data.
5. If credentials are valid, authentication succeeds.
6. Application creates a session or token.
7. User can access authenticated features.
In secure applications, this flow should also include protections such as safe password handling, secure error messages, login attempt controls, and session management.
User Identity
A user identity represents a user inside a system.
It may include account details such as username, email, user ID, role, profile information, and login status.
Example User Identity:
userId: 1025
email: student@example.com
role: Student
status: Active
Authentication verifies that the person trying to use this identity is allowed to do so.
Password-Based Authentication
Password-based authentication is one of the most common authentication methods.
The user enters a username or email along with a password. The system verifies whether the password is correct for that account.
Unsafe Password Handling
Store password directly as plain text.
Problem:
If the database is exposed, all passwords are exposed.
Safer Password Handling
Store password using a secure password hashing approach.
During login:
- User enters password.
- System hashes the entered password.
- System compares it with the stored password hash.
Passwords should not be stored as plain text.
Password Strength
A weak password can be guessed more easily. Applications should encourage or enforce strong password practices.
Strong Password Ideas
- Use sufficient password length.
- Avoid common passwords.
- Avoid using personal information such as name or birth date.
- Allow users to create longer passphrases.
- Do not store passwords in plain text.
- Use secure password reset mechanisms.
- Encourage password managers where appropriate.
Multi-Factor Authentication
Multi-Factor Authentication, or MFA, adds extra verification beyond only a password.
MFA requires users to provide more than one type of proof.
| Factor Type | Meaning | Example |
|---|---|---|
| Something You Know | Information remembered by the user. | Password or PIN. |
| Something You Have | A physical or digital item the user possesses. | Phone, OTP app, security key. |
| Something You Are | A biometric property of the user. | Fingerprint or face recognition. |
Example MFA Login:
1. User enters password.
2. System sends or requests OTP.
3. User enters OTP.
4. If both password and OTP are valid, login succeeds.
MFA improves security because a stolen password alone may not be enough to access the account.
OTP Authentication
OTP means One-Time Password.
An OTP is a temporary code used for verification. It is usually valid for a short period or for a single use.
OTP Flow:
1. User enters username and password.
2. System asks for OTP.
3. User receives or generates OTP.
4. User enters OTP.
5. System verifies OTP.
6. Login continues if OTP is valid.
OTPs are commonly used as part of MFA.
Token-Based Authentication
In token-based authentication, the system issues a token after successful login.
The client sends this token with future requests so the server can identify the authenticated user.
Token-Based Flow:
1. User logs in successfully.
2. Server creates an authentication token.
3. Client stores token safely.
4. Client sends token with future requests.
5. Server validates token before processing request.
Tokens should be protected because anyone who obtains a valid token may attempt to use it.
Session-Based Authentication
In session-based authentication, the server creates a session after successful login.
The user receives a session identifier, often stored in a secure cookie. The server uses this session identifier to remember the authenticated user.
Session-Based Flow:
1. User logs in.
2. Server creates a session.
3. Server sends session identifier to browser.
4. Browser sends session identifier with future requests.
5. Server checks session and identifies user.
Sessions should be unique, hard to guess, protected, and expired when no longer needed.
Session Expiry and Logout
Authentication should not last forever. Sessions and tokens should expire based on security needs.
Session Safety Practices
- Expire sessions after inactivity.
- Expire sessions after a maximum allowed time.
- Allow users to logout.
- Invalidate session after logout.
- Regenerate session after successful login where applicable.
- Require re-authentication for sensitive actions.
Secure Authentication Error Messages
Authentication error messages should be safe and should not reveal too much information.
Unsafe Error Message
Email exists, but password is wrong.
This reveals that the email is registered.
Safer Error Message
Invalid username or password.
This message is safer because it does not reveal which part was wrong.
Login Attempt Protection
Applications should protect login systems from repeated guessing attempts.
Protection Ideas
- Limit repeated failed login attempts.
- Temporarily slow down repeated attempts.
- Monitor suspicious login behavior.
- Notify users of unusual login activity where appropriate.
- Use MFA for sensitive accounts.
- Log authentication failures safely.
Sensitive Accounts
Sensitive accounts include administrator accounts, service accounts, database accounts, and internal system accounts.
These accounts should be protected more carefully because misuse can cause serious damage.
Single Sign-On
Single Sign-On, or SSO, allows users to authenticate through a trusted identity provider and access multiple applications.
SSO Example:
User signs in through trusted identity provider.
Application trusts the identity provider response.
User accesses application without creating a separate password.
SSO can simplify login management and centralize identity control when implemented correctly.
Authentication and User Registration
Registration is often the first step before authentication.
A secure registration process should collect required information, validate input, verify email or phone where needed, and avoid creating duplicate or fake accounts.
Registration Checks:
- Validate email format.
- Confirm password rules.
- Verify email ownership if required.
- Avoid duplicate accounts.
- Store password securely.
Password Reset
Password reset is a sensitive feature because attackers may try to misuse it to take over accounts.
Safer Password Reset Ideas
- Use a secure reset process.
- Do not reveal whether an email exists in the system.
- Use temporary reset links or codes.
- Expire reset links or codes.
- Notify the user after password change.
- Require strong new password rules.
Real-World Example: E-Commerce Login
In an e-commerce application, authentication protects customer accounts, orders, addresses, payment preferences, and purchase history.
| Authentication Area | Secure Practice |
|---|---|
| Login | Verify email and password safely. |
| Password Storage | Do not store plain-text passwords. |
| MFA | Use additional verification for sensitive actions. |
| Session | Expire session after inactivity. |
| Error Message | Use safe login failure messages. |
| Logout | Invalidate the session after logout. |
Student-Friendly Example: Student Portal Login
Student Portal Authentication:
1. Student enters email and password.
2. System validates required fields.
3. System checks whether credentials are valid.
4. If valid, system creates a session.
5. Student can view own marks and attendance.
6. Student cannot access admin-only features.
Authentication confirms the student identity. Authorization decides what the student can access after login.
Example: Basic Login Logic
Weak Version
INPUT email
INPUT password
IF email == storedEmail AND password == storedPassword THEN
DISPLAY "Login successful"
ELSE
DISPLAY "Login failed"
END IF
This example is simple, but it directly compares plain passwords and does not show secure password storage.
Better Conceptual Version
INPUT email
INPUT password
IF email is empty OR password is empty THEN
DISPLAY "Invalid username or password"
STOP
END IF
userAccount = FIND account by email
IF userAccount does not exist THEN
DISPLAY "Invalid username or password"
STOP
END IF
IF password does not match stored password hash THEN
DISPLAY "Invalid username or password"
STOP
END IF
CREATE secure session
DISPLAY "Login successful"
This version uses safer error messages and avoids revealing whether the email exists.
Example: Authentication with MFA
INPUT email
INPUT password
IF credentials are invalid THEN
DISPLAY "Invalid username or password"
STOP
END IF
SEND or REQUEST second factor code
INPUT verificationCode
IF verificationCode is invalid THEN
DISPLAY "Authentication failed"
STOP
END IF
CREATE secure session
DISPLAY "Login successful"
This shows the idea of using a second factor after the password is verified.
Authentication Checklist
Before Finalizing Authentication, Ask:
- Are login inputs validated?
- Are passwords stored securely and not as plain text?
- Are error messages safe?
- Are repeated failed attempts controlled?
- Is MFA used where appropriate?
- Are sessions or tokens protected?
- Does logout invalidate the session?
- Are sensitive actions protected with re-authentication where needed?
- Are privileged accounts protected carefully?
- Is authentication separated from authorization?
Common Beginner Mistakes
Mistakes
- Storing passwords as plain text.
- Showing different error messages for wrong email and wrong password.
- Not validating login input.
- Allowing unlimited login attempts.
- Not expiring sessions.
- Not invalidating session after logout.
- Confusing authentication with authorization.
- Assuming login means access to all features.
- Hardcoding credentials in source code.
- Not protecting privileged accounts with stronger controls.
Better Habits
- Store only secure password hashes.
- Use generic login failure messages.
- Validate login inputs.
- Monitor and limit repeated failed attempts.
- Use secure session management.
- Expire sessions appropriately.
- Use MFA for sensitive scenarios.
- Check authorization after authentication.
- Keep credentials out of source code.
- Protect admin and service accounts carefully.
Best Practices for Authentication
Recommended Practices
- Validate all authentication input.
- Use secure password storage.
- Never store plain-text passwords.
- Use generic login failure messages.
- Protect against repeated login attempts.
- Use MFA where risk or sensitivity is high.
- Use secure session or token management.
- Expire sessions and tokens appropriately.
- Invalidate sessions after logout.
- Require re-authentication for highly sensitive actions.
- Do not hardcode secrets or credentials.
- Use trusted authentication libraries or identity providers where appropriate.
- Perform security-focused code review for authentication logic.
- Test authentication with valid, invalid, locked, expired, and unusual scenarios.
Prerequisites Before Learning Authentication
Students should understand the following topics before learning authentication deeply:
Required Knowledge
- Basic programming syntax.
- Variables and strings.
- Conditional statements.
- Functions or methods.
- Input validation.
- Secure programming practices.
- Basic web application concepts.
- Basic database concepts.
- Basic session or token concept.
Trace Table Example: Login Validation
FUNCTION authenticateUser(email, password)
IF email is empty OR password is empty THEN
RETURN "Invalid username or password"
END IF
userAccount = FIND account by email
IF userAccount does not exist THEN
RETURN "Invalid username or password"
END IF
IF password does not match stored password hash THEN
RETURN "Invalid username or password"
END IF
RETURN "Authenticated"
END FUNCTION
| Test Case | Input | Expected Result | Reason |
|---|---|---|---|
| TC_001 | Valid email and valid password | Authenticated | Correct credentials. |
| TC_002 | Empty email | Invalid username or password | Required field missing. |
| TC_003 | Valid email and wrong password | Invalid username or password | Password does not match. |
| TC_004 | Unknown email and any password | Invalid username or password | Account does not exist, but message remains generic. |
Practice Activity: Improve Login Security
Improve the following pseudocode by applying authentication best practices.
INPUT username
INPUT password
IF username == "admin" AND password == "admin123" THEN
DISPLAY "Welcome admin"
ELSE
DISPLAY "Wrong password"
END IF
Sample Improved Concept
INPUT username
INPUT password
IF username is empty OR password is empty THEN
DISPLAY "Invalid username or password"
STOP
END IF
userAccount = FIND account by username
IF userAccount does not exist THEN
DISPLAY "Invalid username or password"
STOP
END IF
IF password does not match stored password hash THEN
DISPLAY "Invalid username or password"
STOP
END IF
CREATE secure session
DISPLAY "Login successful"
The improved concept avoids hardcoded credentials, validates input, uses a generic error message, and creates a secure session after successful authentication.
Practice Test Cases
| Test Case | Scenario | Expected Output |
|---|---|---|
| TC_001 | Correct username and password | Login successful |
| TC_002 | Correct username and wrong password | Invalid username or password |
| TC_003 | Unknown username | Invalid username or password |
| TC_004 | Empty username | Invalid username or password |
| TC_005 | Empty password | Invalid username or password |
Mini Quiz
What is authentication?
Authentication is the process of verifying the identity of a user, device, application, or system.
What question does authentication answer?
Authentication answers the question: Who are you?
What is MFA?
MFA means Multi-Factor Authentication, where users provide more than one type of proof to verify identity.
Why should passwords not be stored as plain text?
Plain-text passwords can be exposed directly if storage is compromised, so passwords should be stored using secure password hashing.
What is the difference between authentication and authorization?
Authentication verifies identity, while authorization checks what the authenticated user is allowed to do.
Interview Questions on Authentication Basics
Define authentication in secure programming.
Authentication is the process of verifying that a user or system is truly who or what it claims to be.
Name common authentication methods.
Common methods include password-based login, OTP, MFA, biometric verification, tokens, and Single Sign-On.
Why should login error messages be generic?
Generic login error messages avoid revealing whether the username or password was incorrect.
What is session-based authentication?
Session-based authentication creates a server-side session after successful login and uses a session identifier to recognize future requests.
Why is MFA useful?
MFA adds an extra verification layer, so a stolen password alone may not be enough to access an account.
Quick Summary
| Concept | Meaning |
|---|---|
| Authentication | Verifying user or system identity. |
| Credentials | Information used to prove identity, such as password or OTP. |
| Password Authentication | Login using username/email and password. |
| MFA | Authentication using more than one factor. |
| OTP | One-Time Password used for temporary verification. |
| Session | Server-side state that remembers an authenticated user. |
| Token | A value used to represent authenticated access in future requests. |
| Authorization | Permission checking after authentication. |
Final Takeaway
Authentication is the foundation of secure access control. It verifies identity before users can access protected features. Students should understand username-password login, password safety, MFA, OTP, token-based authentication, session-based authentication, secure error messages, login attempt protection, and the difference between authentication and authorization. A secure application should authenticate users carefully, protect credentials, manage sessions safely, and combine authentication with proper authorization.