What Is Authentication?
Authentication verifies who a user is — confirming their identity through credentials like passwords, biometrics, or tokens. It answers 'Who are you?' while authorization (a separate concept) answers 'What are you allowed to do?' Every application with user accounts needs authentication.
How Authentication Works
Modern authentication stack: user enters email/password → server hashes password with bcrypt and compares to stored hash → on match, issues a JWT or session cookie → subsequent requests include the token → server validates token on each request.
Passwordless is the future: magic links (email a login link), passkeys (biometric device authentication), and OAuth social logins all eliminate password management headaches.
Why Developers Use Authentication
Never roll your own auth crypto. Use battle-tested libraries (bcrypt for hashing, JWT libraries for tokens) or managed services (Auth0, Clerk, Supabase Auth, Firebase Auth). One security mistake can expose all user data.
Key Concepts
- Password Hashing — Store bcrypt/argon2 hashes, never plaintext — even if the database is breached, passwords stay safe
- Session Management — Track logged-in users via server-side sessions (cookies) or client-side tokens (JWT)
- Multi-Factor Authentication — Require a second proof of identity — TOTP codes, SMS, hardware keys, or biometrics
- Passwordless — Magic links, passkeys, or biometric login — eliminates passwords entirely
Frequently Asked Questions
Authentication vs authorization?
Authentication: proving who you are (login). Authorization: determining what you can do (permissions). Authentication happens first, then authorization.
What's the most secure authentication method?
Passkeys (WebAuthn) are the most secure — phishing-resistant, biometric, and no passwords to steal. FIDO2 hardware keys are even stronger.