Authentication - 401-advanced-javascript-aimurphy/seattle-javascript-401n13 GitHub Wiki
So many ways to prove yourself legit. But it seems like they boil down to: password, or not.
Passwords
Usernames and Passwords
These are ways we can try to ensure that people are who they say they are and are accessing what they ought. For high security applications usernames could be assigned and secret instead of user-defined public data. Password safety increases with length, but can be tough to memorize. Instead, think PASSPHRASE, a phrase or sentence more complex than a word but easier to memorize.
Not Passwords: Oauth, OpenID, SAML, FIDO, JWT
OAuth 2.0
Open Authorization protocol allows an application to authenticate against a server as a user using a token generated by the server, and provides how the authorization flows occur, so that a client, such as a mobile application, can tell the server what user is using the service.
No passwords or third party servers acting as identity providers.
OAuth 2.0 relies on HTTPS for security and is currently used and implemented by API's from companies such as Facebook, Google, Twitter and Microsoft. OAuth1.0a is more difficult to use because it requires the use of cryptographic libraries for digital signatures. However, since OAuth1.0a does not rely on HTTPS for security it can be more suited for higher risk transactions.
OpenID
HTTP-based protocol allowing a service provider initiated way for single sign-on (SSO). This allows the user to re-use a single identity given to a trusted OpenId identity provider and be the same user in multiple websites, without the need to provide any website the password, except for the OpenId identity provider. Examples: signing in with Google, Facebook, etc versus making an account.
For non-enterprise environments, OpenId is considered a secure and often better choice, as long as the identity provider is of trust.
SAML 2.0
Security Assertion Markup Language (SAML) uses identity providers(like openId), but unlike OpenId, it is XML-based and provides more flexibility.
SAML is based on browser redirects which send XML data. Furthermore, SAML isn't only initiated by a service provider; it can also be initiated from the identity provider. This allows the user to navigate through different portals while still being authenticated without having to do anything, making the process transparent.
While OpenId has taken most of the consumer market, SAML is often the choice for enterprise applications as there are few OpenId identity providers which are considered of enterprise class (due to high standards required for enterprise identity). It is more common to see SAML being used inside of intranet websites, sometimes even using a server from the intranet as the identity provider.
In the past few years, applications like SAP ERP and SharePoint (SharePoint by using Active Directory Federation Services 2.0) have decided to use SAML 2.0 authentication as an often preferred method for single sign-on implementations whenever enterprise federation is required for web services and web applications.
FIDO
The Fast Identity Online (FIDO) Alliance has created two protocols to facilitate online authentication :
UAF works with both native applications and web applications, focuses on passwordless authentication, and takes advantage of existing security technologies present on devices for authentication including fingerprint sensors, cameras(face biometrics), microphones(voice biometrics), Trusted Execution Environments(TEEs), Secure Elements(SEs) and others.
U2F works with web applications and augments password-based authentication using a hardware token (typically USB) that stores cryptographic authentication keys and uses them for signing, allowing the addition of a second factor to existing password-based authentication. It also provides protection against phishing by using the URL of the website to lookup the stored authentication key.
Both protocols are based on a public key cryptography challenge-response model.
JWT
Password Managers
And then there are password managers which are kind of both?
sources: