The Future of Authentication: Tokens

The emergence of Token Based Authentication brought the World Wide Web one step closer towards a more convenient and consistent user experience across a variety of service providers. By dynamically generating a token, a user is be able to login with a pre-defined identity on a new service-provider. All this without ever sharing this information with the service provider or having to fill-out a tedious sign-up form.

Today, nearly all of the popular social networks allow Token Based Authentication (the standard is JWT — JSON Web Token). Probably many people here have used Facebook Connect or OAuth for logging into a new website conveniently with an existing identity and saved filling out another annoying Sign Up form in the process. An interesting example is shown below: Would you rather fill out the Sign in form on the right or simply click a button on the left and gain instant access to the service provider?

The answer to that is a unanimous “YES”. But JWT offers so much more than just the convenience factor. Lets take a look.

One Token to Rule them All

Token Based Authentication brings with it many advantages, lets list some of the major advantages:

Everything in one token

Tokens are self-contained entities, which means that all the information required for authentication about you is contained in a simple token that can be sent cross-domain. Lets examine what such a JSON token looks like (check out http://jwt.io/, it’s really cool):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkRvbWluaWsgU2NoaWVuZXIiLCJhZG1pbiI6dHJ1ZX0.PxuM-l4UnLvUI-LgtYdUw6_FhTb29xzRp36FlJQvhaQ

The tokens consists of 3 parts:

  • Header: Containing information about the type and the hashing algorithm used
  • Payload (or Body): Containing the actual information (or claims) about the identity
  • Signature: Which is a signature of the hash of header and payload to ensure authenticity

In the above example, HMAC SHA256 has been used for hashing the information with “secret” as password. We can then use this to decipher the 2 parts of the token.

The Header’s hashed information (eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9) decodes into:

{
 “alg”: “HS256”,
 “typ”: “JWT”
}

The Payload’s hashed information is (eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkRvbWluaWsgU2NoaWVuZXIiLCJhZG1pbiI6dHJ1ZX0) decodes into:

{
 “sub”: “1234567890”,
 “name”: “Dominik Schiener”,
 “admin”: true
}

Stateless

The tokens are never stored on the servers of the service provider. Instead, you (the client) send the same token to the service provider in future authentication requests. This not only offers advantages to you, as only you store the token and use it for authentication purposes, but also for the service provider who no longer has to store any unnecessary data on servers, thus increasing scalability and decreasing costs.

Farewell Cookies

On each authentication request, the token instead of a cookie is used, which means that cookies can be replaced for authentication purposes on websites. With cookies out of the picture, CSRF (Cross-Site Request Forger) are impossible since there is no session information stored in a cookie.

Control for the user

With token based authentication the user knows exactly which information of his identity gets shared with a specific service provider and can potentially even revoke access to that provider. This is a huge step forward to giving users finally more control over their identity and whom they are in information exchange with. Additionally, tokens expire after a predefined amount of time, which means that the user needs to re-authenticate a service provider.


Bitcoin Web Authentication Token

Now with this information about the future of authentication, we can apply this new technology to the Identity System prototype we showcased last time (http://composui.com/2015/09/08/a-treatise-on-identity-part-2-a-new-identity-model-with-prototype/). To quickly recap what I’ve created: it’s a simple program that makes it possible for a user to authenticate a new entity with a password, an image/file or even a fingerprint; create arbitrary identities and anchor them into the Bitcoin Blockchain and authorize service providers access to specific attributes of an identity.

What I’ve developed now is a “Bitcoin Web Authentication Token” that makes it possible to use one’s identity with websites online. To make this possible I added a simple API to the Python program using Flask (API is required to send information to other servers) and also coded a prototype website using Node.js. You can check out the new code on Github.

Here is a video showcasing the authentication process:


This is the uniquely generated token of my Bitcoin identity:

eyd0eXAnOiAnYnd0J30=.W3snbGFuZ3VhZ2UnOiAnZ2VybWFuJ30sIHsnY291bnRyeSc6ICdpdGFseSd9LCB7J2RhdGUtb2YtYmlydGgnOiAnMDEuMDEuMTk5NSd9LCB7J2ZpcnN0LW5hbWUnOiAnZG9taW5payd9XQ==.G4E2FKjuh28ealfiBZy6b7glSOXhONhdVO6dXS6hUUamEf1aLIXUomJ8vKOs3w7csmXllU8/olmbA2V4OcASoBI=

For demonstration purposes, I have not hashed the identity using HMAC SHA256, instead I just encoded the data into Base64 and generated a signature. If we decode the parts, we get the following result:

Header:

{‘typ’: ‘bwt’}

Body:

[
{‘language’: ‘german’},
{‘country’: ‘italy’},
{‘date-of-birth’: ‘01.01.1995’},
{‘first-name’: ‘dominik’}
]

And the Signature, for which we are simply using our entities Bitcoin private key to create a signature of body and header combined:

G4E2FKjuh28ealfiBZy6b7glSOXhONhdVO6dXS6hUUamEf1aLIXUomJ8vKOs3w7csmXllU8/olmbA2V4OcASoBI=


Conclusion

This is just a simple demonstration of token based authentication and how it can be greatly applied to our identity prototype. Tokens are most certainly the future of authentication as they bring convenience, security and much better performance for everyone involved in the authentication process.