In the early days of the internet, authentication was straightforward: users simply signed up with a username and password. This method sufficed when the internet was smaller. However, as the number of users and online services went from millions to billions, this approach became inadequate. The common habit of reusing passwords across multiple accounts became a security vulnerability, easily exploited by hackers. Despite these challenges, the alternative—complex login methods requiring external hardware—was impractical for widespread use.
Over the last decade, advances in authentication technologies have significantly improved both security and simplicity. However, as developers, we often find navigating and implementing these authentication methods and protocols time consuming and stealing focus from core application innovation.
Another major challenge was for the users that started to use all kinds of services. And each service required us to signup for a unique account. As none of us ever wanted to carry a list of unique passwords we did what all lazy humans do by using the same password for all our accounts. This became an exploit for hackers whom simply hacked one service and then tried to login to other service by using the same user credentials they obtained.
Initially, authentication systems for web applications used a stateful approach which frequently checked a database to confirm user credentials and authorization. This process struggled to scale as the internet usage grew. Additionally letting other services integrate to your application using API:s required machine-to-machine authentication,
The shift to stateless methods like JWTs (JSON Web Tokens) was essential for coping with the demands of billions of connected devices.
The growing number of online services which in turn required users to signup and create a unique account. As users, we are reluctant to manage numerous unique passwords, and often reused the same one. This became and issue and gave gave hackers an easy way to access multiple accounts by breaching just one service.
Every time authentication technologies and protocols evolved there were two factors that were improved. Better security, and increased simplicity for users.
One of the big dreams was that you login once and stay logged in across all your systems.
One such evolution was Single sign on (SSO), which is an authentication mechanism that uses a central server for authentication to grant you access to multiple systems.
SSO utilizes protocols like OAuth and SAML to manage tokens and user identities, transferring the authentication workload from individual apps to a centralized server.
SSO introduced a new level of complexity for developers. Now, authentication was lifted from the internal app logic, but integration with SSO servers was still required. Commonly, major enterprises have their own SSO servers; additionally, major tech companies also possess them. An easy way to access your app is to allow users to sign in using their credentials that already exist with a well-known brand such as Google Login, Facebook Login, Apple Login, Microsoft Login
Passwords have not yet died out. And will probably not for many years to come. But it has evolved a lot since its early days.
Today multi factor authentication(MFA) is an additional step that increases security. The idea behind MFA is that in addition to your password you verify yourself on another device. This can be done by sending a One Time Password(OTP) device you own. You have most likely seen it sent with a text message which you then type in as an “additional password”
Another approach instead of text messages is authenticator apps that generate OTP:s periodically.
Biometric sign-ins using your face, fingerprints or voice is another approach that is used, primarily when authentication is done on mobile devices.
The newest technology of them all is Passkeys. Passkeys is the first step to a completely passwordless era where. Instead of passwords Passkeys use public key cryptography for authentication and is locally stored on your device.
Authentication and authorization technologies—collectively known as "auth"—has undeniably enhanced security and streamlined user experiences. However, this innovation comes with increased complexity for developers, particularly when implementing various authentication methods and integrating with different servers that utilize protocols like SAML or OAuth.
Often, the focus is on the initial implementation, while the ongoing maintenance and updates, which can be time-consuming, remain overlooked. Today, user expectations are exceedingly high; a seamless and secure signup and login process has shifted from being a desirable feature to an essential requirement.
This article shares more details about what modern web or SaaS application requires
Auth has during the last 15 years evolved from simple password protection to sophisticated systems like Single Sign-On, multi-factor authentication and passkeys.
Security and ease of use have been the pillars that have driven the innovation to keep the internet safe yet accessible.
For developers there is alot to keep up with and the expectations of users are much higher and require that more time is spent on implementing and maintaining authentication systems.Although important being important smaller teams will struggle to balance their backlog between security improvements and core app innovation. For an overview of authentication systems and protocols have a look on our article about Authentication