Context: I'm writing this while watching YouTube, and this goddamn thought just went through my head. I'm writing this to see what other people think about this.
Alright hear me out...
Does every authentication method relies on the server having something to validate the client's credential?
Password Authentication, the server got the hashed password (or whatever form it stores the password in) and the client don't. This security lies in the client knows or not about the original password that was used to create the hash.
API Keys (or token auth), the server got a list of valid keys/token, and the client doesn't. Again similar to password, the server knows something the client may or may not know.
MFA, when you create the authenticator, the server give you the unique MFA string (no idea what its actually called, but you get it the MFA seed/qr code thingamajig). Again the server has the code to validate against and your authenticator has the algorithm to generate the code that will pass the validation. Isn't this pretty similar to password based auth but with extra steps that generate the unique MFA code?
Biometrics, IDK... The server has your biometric info and you have... Your biometric I guess, and you input your biometric and the server will validate against its data (I think thats the gist of it). Sounds close enough to password to me.
In theory, can I just have a random string sitting somewhere on my server and allow user to login if they know that string? Isn't a dumb version of the password authentication?
My fucking god, I feel so stupid when thinking about this. What do you think? Does my rambling sounds about right or nah?
Also there is the Google Prompt you get on your phone when you log in from a new place, does that also relies on the server knowing something the client does not? Or how does that work? I got no idea really.
Also what other authentication methods are out there? Do they also hinges on the server knowing something the client does not?
Top comments (0)