CROSP's avatar

Token Based Authentication how secure is it ?

Hi, I am fullstack developer, mainly focused on mobile native applications and API for the server side in order to expose resource to the client, as far as I am developing native mobile clients, there is no way to use web based authentication methods like sessions. REST API is stateless so the most proper and widely used method to do this is to use token authentication.
I have read a lot about different possible ways for securing API for instance E-commerce applications like online stores, where it is important to secure connection.
I know a lot of different ways to secure API. but all of them seem unsecure for me.
Let me explain, what I cannot understand.

Why don't use password and login ?
By default in many web apps, you can do anything using your password and login( change password , buy ...) So this is the most sensitive data that should be secured.
And for example storing pass + login directly on the mobile device is bad idea as far as it can be easily stolen by the malicious applications for the rooted devices.
And send pasw + login each time you need to access secured resources is really bad idea.
So the token auth came to make this communication more secure and flexible.
I will not take into considiration OAuth auth, because it requires separate server where again you need to enter pass + login in order to provide some permissions to the some app.

Lets consider some kinds of token auth.

  1. Simple toke generated after the first login with pass + login and stored somewhere indicating that user is logged in, this something similiar to sessions, but anyway user should send token each request ( in case of sessions browser does this work sending cookies).

  2. Second type is JWT toke which is becomes more popular now. It is great idea to store all information inside token. First time I was wondering, how server can identify user for the second request where token only passed and it is not stored on the server in some table. But than I got it, because token is signed by some secret and each token contains some unique information (no collisions of hash) server can encrypt it by itself and check if it matches the passed by the user. Great idea which is good for REST as far as it is stateless.

But what is my question is How secure token auth is without https.
Lets consider example, attacker has stolen token, so what is the difference between stolen pass and token ? Of course mostly token doesn't allow you to change the password and restrict other actions with you account, but anyway attacker has stolen token and it can access private information now.
It is okay if token allows only to see some information ,but what if token allows you to make purchase in online store, transfer money ? Attacker can do anything now, make orders .... Of course you can request login + pass before such actions like purchase, but user won't like this.
Surely, token has expire time and will be expired, but if attacker has token he can request refresh token or just do bad stuff while token is valid.

In this case token seems useless Of course with HTTPS it is much more secure, but using https you can send sensitive data without such mechanism like token auth, just send pass and login. If attacker brokes secure channel nothing will help you in this case ?

Sorry, maybe I have described not clear enough, but the main question is how to token auth will work if attacker obtaines token ?

Thanks for any help in advance.

0 likes
3 replies
Corez64's avatar
Corez64
10 years ago
Best Answer
Level 37

Hi @CROSP I don't clam to be anything like an expert on this topic but here are my thoughts:

OAuth is fine, you can send a username and password from your mobile app to your api to generate the access token. It is called a Password Grant but you should only use it where you control both the app and the server, Spotify use it for their mobile and desktop apps.

Your question about how a token is secure without HTTPS, simple answer: it isn't. If you are transferring data like this over the internet you MUST secure with with HTTPS. For example, it is part of the OAuth 2.0 specification that any communication between the client and server is secured with TLS. StackOverflow - Are Oauth2 client apps required to have SSL connection? - IETF RFC 6749 OAuth 2.0 Specification

I believe that OAuth 1 has extra security systems in place that means that it doesn't need to run under HTTPS but I don't know enough about it to confirm that, might be worth a look. OAuth 2.0 and the Road to Hell (look at the section under the heading Bearer tokens but its only a reference).

Also it is still a bad idea to send a username and password with every request even over HTTPS. If you send these credentials the entire account is compromised and the password would need to be reset for the account where as if your are using a token you would only need to reset that token and the account is secure again and all other locations remain secure. Also if you are using OAuth2 for example you can have tokens expire and regenerate themselves over a period of time (like a day) and have your client automatically renew the token enhancing the security even more. Refresh Token Grant

1 like
CROSP's avatar

Thank you for your answer ! One more question, why should I use Oaut 2 server to issue token ? Why not to do this directly on the main server where all data is stored ? OAuth server is great with social networks to let other applications access user data after granted permissions. Or I understand OAuth mechanism incorrectly ?

As I know OAuth server is responsible for giving permissions to other applications (without any sensitive data like password and login only token and secret) , for example access user information, timeline, posts, statuses or whatever, but in case of direct connection to the server ( like in my case ) when mobile client connects server where all data is stored (online store with products, categories tables and of course registered users table) why should I create one more layer between user and server ?

jekinney's avatar

Some send email and other personal data. I mention email as it is considered personal data that unless the client gives you permission to share needs to be secure. Laws cover that as you may know.

I agree in many cases security can be taken to the extreme. I know a lot of people that use more then one security suite on their pcs. It's not needed and over kill.

Using established tools and guidelines help elevate the over kill and speed up development along with establishing standards etc. not like your going to rewrite the network stack to make a better connection. Instead use https and ssl for example.

Please or to participate in this conversation.