Core Module
12 min forge

Authentication

Master the logic of digital identity. Learn how to verify who a user is using passwords, tokens, and multi-factor systems.

πŸ”‘ Authentication (AuthN)

Authentication is the process of verifying the identity of a user, device, or system. It answers the question: "Who are you?"

πŸ’‘ The Logic (ELI5)

Think of an Airport Security Checkpoint:

  1. You hand the agent your Passport.
  2. They look at the photo and look at your face.
  3. They verify that you are indeed the person named on the passport.
  4. Conclusion: You are who you say you are. You have been authenticated.
  5. (Note: This doesn't mean you can get on the plane yet; that's Authorization!)

πŸ” The Deep Dive

Common Methods

  1. Passwords: Something you know. (Must be hashed/salted in the DB!).
  2. Tokens (JWT): A digital badge given to you after you log in. You show this badge for every future request.
  3. Session Cookies: The server remembers you by storing a "Session ID" in its memory or database.
  4. Biometrics: Something you are (Fingerprint, FaceID).

Modern Standard: JWT (JSON Web Tokens)

In distributed systems, JWTs are preferred because they are Stateless. The server doesn't need to check a database to know if the token is valid; it just checks the digital signature on the token itself.

🎯 Interview Pulse

AuthN vs AuthZ

Interviewers love to see if you confuse these two.

  • Authentication (AuthN): Who are you? (Passport).
  • Authorization (AuthZ): What can you do? (Boarding Pass).

Security Best Practices

  • Hashing: Never store passwords as plain text. Use algorithms like bcrypt or argon2.
  • Salting: Adding random data to a password before hashing it to prevent "Rainbow Table" attacks.
  • 2FA/MFA: Adding a second layer of security (e.g., an SMS code or Authenticator app).

Top Question

"Where do you store a JWT on the client?" Answer: HttpOnly and Secure cookies are the safest option. Storing them in localStorage makes them vulnerable to XSS (Cross-Site Scripting) attacks. πŸ›‘οΈ