Authentication Flashcards
What is the difference between authentication and authorization?
- Authentication verifies the user’s identity (e.g., login credentials).
- Authorization determines what actions or resources the authenticated user has access to.
What is session-based authentication, and how does it work?
A server creates a session for the user after login and stores a session ID in a browser cookie. The server verifies the session ID for subsequent requests.
How does token-based authentication work?
The server issues a token (e.g., JWT) upon login. The client includes this token in the headers of future requests for authentication.
What are the components of a JSON Web Token (JWT)?
- Header: Contains the algorithm and token type.
- Payload: Includes claims (user data, permissions).
- Signature: Verifies the token’s integrity.
What is OAuth 2.0, and what is its primary use case?
OAuth 2.0 is an authorization framework that allows third-party applications to access a user’s resources without exposing credentials. Example: Logging in with Google.
How does OpenID Connect (OIDC) extend OAuth 2.0?
OIDC adds an identity layer to OAuth 2.0, providing user authentication and user profile information in addition to authorization.
What is MFA, and why is it important?
MFA requires two or more verification methods (e.g., password + one-time code) to enhance security by reducing reliance on passwords alone.
Why is password hashing important, and what algorithms are commonly used?
Password hashing securely stores passwords by converting them into irreversible hashes. Common algorithms: bcrypt, Argon2, PBKDF2.
What is the purpose of a refresh token in authentication?
A refresh token is used to obtain a new access token after the old one expires, maintaining a secure and seamless user experience without requiring re-authentication.
What is Single Sign-On (SSO), and how does it work?
SSO allows users to log in once and access multiple related systems without re-authenticating. It uses protocols like SAML or OIDC to share authentication tokens between services.