Authentication

Security

The process of verifying the identity of a user, device, or system before granting access to protected resources or applications.

What is Authentication?

Core Concept

Authentication answers the question "Who are you?" by verifying that users are who they claim to be. It's the first line of defense in application security, typically involving credentials like usernames, passwords, or biometric data.

Authentication vs Authorization

  • Authentication: Verifies identity ("Who are you?")
  • Authorization: Determines permissions ("What can you do?")
  • Authentication always comes before authorization
  • Both are essential for complete security

Authentication Methods

Single-Factor Authentication

Uses one method to verify identity:

  • Password: Most common method
  • PIN: Numeric codes
  • Biometric: Fingerprint, face recognition

Multi-Factor Authentication (MFA)

Combines multiple verification methods:

  • Something you know: Password, PIN
  • Something you have: Phone, token
  • Something you are: Biometrics

Implementation Example

JWT Authentication in Node.js

const jwt = require('jsonwebtoken');
const bcrypt = require('bcrypt');

// Login endpoint
app.post('/login', async (req, res) => {
    const { email, password } = req.body;
    
    // Find user in database
    const user = await User.findOne({ email });
    if (!user) {
        return res.status(401).json({ error: 'Invalid credentials' });
    }
    
    // Verify password
    const isValidPassword = await bcrypt.compare(password, user.password);
    if (!isValidPassword) {
        return res.status(401).json({ error: 'Invalid credentials' });
    }
    
    // Generate JWT token
    const token = jwt.sign(
        { userId: user._id, email: user.email },
        process.env.JWT_SECRET,
        { expiresIn: '24h' }
    );
    
    res.json({ token, user: { id: user._id, email: user.email } });
});

// Middleware to verify token
const authenticateToken = (req, res, next) => {
    const authHeader = req.headers['authorization'];
    const token = authHeader && authHeader.split(' ')[1];
    
    if (!token) {
        return res.status(401).json({ error: 'Access token required' });
    }
    
    jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
        if (err) {
            return res.status(403).json({ error: 'Invalid token' });
        }
        req.user = user;
        next();
    });
};

Modern Authentication Protocols

OAuth 2.0

Industry-standard protocol for authorization, commonly used for "Login with Google/Facebook" functionality. Allows third-party applications to access user data without exposing passwords.

OpenID Connect

Authentication layer built on top of OAuth 2.0. Provides identity verification and user information exchange between applications and identity providers.

Career Impact

Authentication expertise is valuable for:

  • Security Engineer: $110,000 - $200,000 annually
  • Full-Stack Developer: $85,000 - $160,000 annually
  • DevSecOps Engineer: $120,000 - $220,000 annually
  • Identity & Access Management: $100,000 - $180,000 annually