Category:Web Application Authentication Schemes

From OWASP
Jump to: navigation, search

This category is used to mark articles that describe authentication schemes and frameworks.

In authentication, one entity proves it is the one which it claims to be by demonstrating the knowledge of an agreed secret. It is different from identification in which an entity is identified but not verified. The entity in this context can be a person, a system or a service call.

The secret can be one or more of the following.

  • some secret that you know(e.g. password)
  • something that only you have(e.g. a smart card)
  • something you are(e.g. fingerprint)
  • somewhere you are(particular IP address)

Each of them has its strengths and weaknesses. So there is a question of what to choose. We have more questions.

  • How to verify if an entity is already authenticated or not?
  • How to inform an entity that it needs to authenticate first?
  • How are credentials transferred from one to other?
  • How are credentials verified?
  • How to inform an entity that it is successfully authenticated?
  • How can we avoid replay attacks?
  • How to ensure that we don't expose the plain credentials?
  • How do we achieve mutual authentication?
  • Are we going to ask the user to have different credentials to each system in the enterprise?
  • What if we need to scale up?

An authentication scheme addresses such questions and provides an open standard to authenticate an entity.

Time to time, authentication schemes were exploited, and new schemes evolved to address the security concerns. Some new schemes appeared to address the business requirements like scalability and single sign-on. Now, there are a lot of them.

This category page contains pages related to various web application authentication schemes deployed so far.

This category currently contains no pages or media.