AUTHENTICATION

(Conceptual + Developer Point of View)

1. What is Authentication?

Authentication is the process of verifying the identity of a user, device, or system before allowing access to resources.

👉 It answers the question:
“Who are you?”

Simple Definition

Authentication ensures that an entity is genuinely who or what it claims to be.

Examples

• Logging into email using username and password

• Unlocking a phone using fingerprint

• API verifying a JWT token

2. Authentication vs Authorization

3. Authentication Factors (Foundation)

Authentication methods are based on factors:

1. Something you know
   (Password, PIN)

2. Something you have
   (OTP, smart card, phone)

3. Something you are
   (Biometrics)

4. User-Level Types of Authentication

4.1 Single-Factor Authentication (SFA)

Definition:
Uses only one factor, usually a password.

Working

1. User enters username

2. User enters password

3. System verifies credentials

4. Access granted or denied

Where to Use

• Low-security systems

• Personal devices

Characteristics

✔ Simple
✔ Fast
✖ Weak security
✖ Vulnerable to attacks

Diagram 

4.2 Two-Factor Authentication (2FA)

Definition:
Uses two different authentication factors.

Working

1. Password verification

2. OTP sent to device

3. OTP verified

4. Access granted

Examples

• ATM card + PIN

• Email + OTP

Where to Use

• Banking

• Email

• Social media

Characteristics

✔ Better security
✔ Protects against stolen passwords
✖ Slightly slower

Diagram 

4.3 Multi-Factor Authentication (MFA)

Definition:
Uses two or more independent factors.

Factors Used

• Password

• OTP / hardware token

• Biometric

Where to Use

• Enterprises

• Cloud platforms

• Military systems

Characteristics

✔ Very high security
✔ Strong attack resistance
✖ Complex setup
✖ Costly

Diagram 

5. Biometric Authentication

Definition:
Authentication using biological characteristics.

Types

• Fingerprint

• Face recognition

• Iris scan

• Voice recognition

Working

1. Biometric captured

2. Compared with stored template

3. Match → Access

Characteristics

✔ Very secure
✔ Convenient
✖ Privacy risks
✖ Cannot be changed if leaked

Diagram

6. Certificate-Based Authentication

Definition:
Authentication using digital certificates issued by a trusted authority (CA).

Working

1. Client sends certificate

2. Server verifies with CA

3. Secure connection established

Use Cases

• HTTPS

• Enterprise networks

• Secure APIs

Characteristics

✔ Very secure
✔ No passwords
✖ Certificate management overhead

Diagram 

AUTHENTICATION (Developer Point of View)

7. Why Developers Need Special Authentication Mechanisms

• HTTP is stateless

• Servers must remember authenticated users

• Requires sessions, tokens, or identity providers

8. Common Developer Authentication Approaches

1. Session-Based Authentication

2. Token-Based Authentication (JWT)

3. OAuth 2.0

4. OpenID Connect (OIDC)

5. API Key Authentication

9. Session-Based Authentication

What is it?

Server stores authentication state using sessions.

Working

1. User logs in

2. Server creates session ID

3. Session stored server-side

4. Session ID sent in cookie

5. Cookie sent with each request

Where to Use

• Traditional web apps

• Server-rendered applications

Characteristics

✔ Easy logout
✔ Simple
✖ Not scalable
✖ Hard for microservices

Diagram

10. Token-Based Authentication

What is it?

Authentication using self-contained tokens, not server sessions.

Working

1. User logs in

2. Token generated

3. Client stores token

4. Token sent in headers

5. Server validates token

Use Cases

• REST APIs

• Microservices

• Mobile apps

Characteristics

✔ Stateless
✔ Scalable
✖ Token revocation difficult

Diagram 

11. JWT (JSON Web Token)

What is JWT?

A stateless, compact, signed token used for authentication.

JWT Structure

HEADER.PAYLOAD.SIGNATURE

Working

1. Login success

2. JWT created and signed

3. Client stores JWT

4. JWT sent in Authorization header

5. Server verifies signature

Where to Use

• SPAs

• REST APIs

• Mobile apps

Characteristics

✔ No server storage
✔ Fast
✖ Cannot easily revoke
✖ Data is readable

Diagram 

12. OAuth 2.0

What is OAuth?

An authorization framework (not authentication).

OAuth answers: “Can this app access user data?”

Real Examples

• Login with Google

• Login with GitHub

OAuth Roles

Authorization Code Flow

1. User redirected to provider

2. User gives consent

3. Authorization code returned

4. Code exchanged for token

5. Token accesses API

Characteristics

✔ No password sharing
✔ Secure delegation
✖ Complex

Diagram 

13. OpenID Connect (OIDC)

What is OIDC?

Authentication layer on top of OAuth 2.0

OAuth + Identity = OIDC

Key Concept

• ID Token (JWT) confirms user identity

Working

1. OAuth login

2. Access token + ID token issued

3. ID token verified

4. User authenticated

Use Cases

• SSO

• Enterprise login

• Cloud services

Diagram 

14. API Key Authentication

What is it?

Authentication using a static API key.

Working

1. Client sends API key

2. Server validates key

3. Access granted

Use Cases

• Internal APIs

• Server-to-server calls

Characteristics

✔ Simple
✔ Fast
✖ Weak security
✖ Not user-based

Diagram 

15. Comparison Table (Complete View)

16. Key Exam & Interview Takeaways

• Authentication verifies identity

• Authorization controls permissions

• JWT is stateless

• OAuth ≠ Authentication

• OIDC = OAuth + Identity

• MFA is strongest user-level security

17. One-Line Memory Hooks

• Password → Knowledge

• OTP → Possession

• Biometric → Identity

• Session → Server remembers

• JWT → Token remembers

• OAuth → Delegate access

• OIDC → Verify identity

If you want next, I can give you:

• Exam-ready short answers

• JWT vs Session (deep)

• OAuth flows with diagrams

• Spring Boot / Node.js auth code

• Security pitfalls & best practices

Just tell me 👍