🌌
Privacy Village Academy
Join The Community!AcademyAbout HGPE
  • Hitchhiker's Guide to Privacy Engineering
    • ❓What is HGPE?
      • ⚖️Who is this for?
      • 🧙‍♂️Privacy Engineering
      • 🎨Creative Privacy
      • 🔮Generative AI
      • 🧑‍💻About the Author
  • 🧙‍♂️The Ethical AI Governance Playbook 2025 Edition
    • 🤖Chapter 1 : AI Literacy
    • 🌍Chapter 2 : AI Governance in the 21st Century
    • ⌛Chapter 3 - Getting Started with AI Act Compliance
    • 🚀Chapter 4 : Rise of AI Governance: Building Ethical & Compliant AI
    • Chapter 5 : Introduction to the Lifecycle of AI
  • 🎓Privacy Engineering Field Guide Season 1
    • ❓Decoding the Digital World: Exploring Everyday Technology
    • 👁️Introduction: Why Privacy Matters?
      • Age of Mass Surveillance
      • Privacy & Democracy
      • Privacy & Government Surveillance
    • ⚡Chapter 1 : How Computers Work?
      • Electricity
      • Bits
      • Logic Gates
      • Central Processing Unit (CPU)
      • Graphic Processing Unit (GPU)
      • Motherboard
      • Data Storage
      • Databases
      • Operating System (OS)
      • Computer Code
      • Programming Languages
      • The File System
      • Bugs and Errors
      • Computer Virus
      • Internet of Things (IoT)
      • Cloud Computing
    • 🛰️Chapter 2 : How the internet works?
      • Physical Infrastructure
      • Network and Protocols
      • Switch
      • Routers
      • IP Address
      • Domain Name System (DNS)
      • Mac Address
      • TCP / IP
      • OSI Model
      • Packets
      • The Client - Server Architecture
      • Secure Socket Shell (SSH)
      • Transport Layer Security (TLS)
      • Firewall
      • Tunnels and VPNs
      • Proxy Server
    • 🖥️Chapter 3 : How Websites Work?
      • HTML
      • CSS
      • Javascript
      • Web Server
      • Browser
      • HTTP
      • Databases
      • Front End (Client Side)
      • Back End (Server Side)
      • Cookies
      • Local Storage
      • Session Storage
      • IndexedDB
      • XHR Requests
      • Web APIs
      • Webhooks
      • Email Server
      • HTTPS
      • Web Application Firewall
      • Single Sign-on (SS0)
      • OAuth 2.0
      • Pixels
      • Canvas Fingerprinting
      • Email Tracking
      • Containers
      • CI/CD
      • Kubernetes
      • Serverless Architecture
    • ⚛️Chapter 4 : How Quantum Computers Work?
      • Quantum Properties
      • Quantum Bits (Qubits)
      • Decoherence
      • Quantum Circuits
      • Quantum Algorithms
      • Quantum Sensing
      • Post-Quantum Cryptography
    • 📳Chapter 5 : Mobile Apps and Privacy
      • Battery
      • Processor
      • Mobile Operating Systems
      • Mobile Data Storage
      • Cellular Data
      • Mobile Device Sensors
      • Wireless Connectivity
      • Camera & Microphone
      • Mobile Apps
      • Software Development Kits (SDKs)
      • Mobile Device Identifiers
      • Bring Your Own Device (BYOD)
  • 🕵️‍♂️Privacy Engineering Field Guide Season 2
    • ❓Introduction to Privacy Engineering for Non-Techs
      • 🎭Chapter 1 : Digital Identities
        • What is identity?
        • Authentication Flows
        • Authentication vs. Authorization
        • OAuth 2.0
        • OpenID Connect (OIDC)
        • Self Sovereign Identities
        • Decentralized Identifiers
        • eIDAS
      • 👁️‍🗨️Chapter 2 : De-Identification
        • Introduction to De-Identification?
        • Input / Output Privacy
        • De-identification Strategies
        • K-Anonymity
        • Differential Privacy
        • Privacy Threat Modeling
  • 📖HGPE Story and Lore
    • 🪦Chapter 1 : The Prologue
    • ☄️Chapter 2 : Battle for Earth
    • 🦠Chapter 3 : A Nightmare To Remember
    • 🧙‍♂️Chapter 4 : The Academy
    • 🌃Chapter 5: The Approaching Darkness
    • ⚔️Chapter 6 : The Invasion
    • 🏰Chapter 7 : The Fall of the Academy
    • 🛩️Chapter 8 : The Escape
    • 🪐Chapter 9 : The Moon Cave
    • 🦇Chapter 10: Queen of Darkness
  • 📺Videos, Audio Book and Soundtracks
    • 🎧Reading Episodes
    • 🎹Soundtracks
  • 👾HGPE Privacy Games and Challenges
    • 🎮Data Privacy Day'23 / Privacy Treasure Hunt Game
    • 🧩Privacy Quest
  • 📬Subscribe Now!
Powered by GitBook
On this page

Was this helpful?

  1. Privacy Engineering Field Guide Season 2
  2. Introduction to Privacy Engineering for Non-Techs
  3. Chapter 1 : Digital Identities

Authentication Flows

PreviousWhat is identity?NextAuthentication vs. Authorization

Last updated 1 year ago

Was this helpful?

Authentication Flow in Modern Technologies

When a user logs in, they provide their username and password. The API then takes these inputs, checks them against the database, and ensures that the usernames and passwords match, with appropriate security measures like hashing and salting in place.

If the credentials match, the user gains access to the website and can perform various actions, such as an authenticated admin deleting a user’s account upon receiving a deletion request.

Unauthorized users attempting to make this request are denied access because they lack the necessary permissions.

To identify who is sending the request, the request can include the authenticated user’s user ID. This prevents unauthorized users from making such requests because they do not possess the same user ID.

In a system utilizing cookie-based user/session ID storage for authentication, Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) attacks pose distinct threats.

CSRF attack

An attacker tricks a user into making an unintended request, often by luring them into clicking a malicious link or loading a compromised webpage.

If the user is authenticated, their session cookie gets automatically attached to the request, allowing the attacker to perform unauthorized actions on their behalf.

XSS attack

This attack involves injecting malicious scripts into a trusted website.

When another user visits this compromised site, the malicious script executes within their browser, potentially allowing the attacker to steal their session cookies, thus gaining unauthorized access to their account.

How to secure the session tokens?

However, to prevent malicious actors from impersonating an admin by inserting an authenticated user’s ID, session tokens are introduced.

A session is tied to the admin’s machine, and a separate database contains a session table linking users to session IDs.

When the admin logs in, the API securely generates a session ID and stores it in the database. The admin includes this session ID in their requests to the API for authentication. This adds an additional layer of security, as malicious actors would need to discover the admin’s session ID to impersonate them.

Privacy and security upgrades are essential in generating session IDs to make them random and statistically impossible to brute force by bad actors.

Storing these tokens can be done using cookie-based storage, which involves attaching a small piece of data, including the session ID, to the website. Alternatively, session IDs can be stored in local storage, a separate storage area within the browser.

JSON Web Tokens and Current De-centralized Authentication Methods

JSON Web Tokens are an open, industry-standard RFC 7519 method for representing claims securely between two parties. Unlike the access token, which the client may not fully understand, the ID token is a uniquely formatted string of characters known as a JSON Web Token (JWT) that the client can easily interpret.

These JWTs contain vital information, including your ID, login time, expiration, and security checks against tampering.

JSON Web Tokens (JWTs) consist of a header, payload, and signature. The header specifies the encryption algorithm and token type (JWT). The payload contains application data such as the user’s username.

The signature ensures data integrity by encrypting the header and payload with a secret key stored on the client. When users want to send an API request, they include the JWT, and the API uses asymmetric encryption to verify the data’s integrity using the token’s signature.

🕵️‍♂️
❓
🎭
Curiosity piqued, and you pondered the whereabouts and nature of Elara. She had been the most exceptional AI you’d ever encountered. Intrigued, you decided to investigate the authentication method she employed to establish a connection with your network. Delving into the details, you uncovered that Elara had leveraged a single sign-on mechanism provided by the manufacturer of your cybernetics brain implant.
You went out to get some fresh air. Screens throughout the city exude an artificial brightness, but the residents seem devoid of joy. Amidst the backdrop of a rainy, dark city illuminated by blinding neon lights, you stumble upon an abandoned smartphone just outside your apartment. On this phone, face recognition (Face ID) is the authentication method.
Page cover image