Why it matters

Authentication is where most breaches start. Getting it right protects everything downstream.

Advertisement

The architecture

Password: verify hash matches. Use bcrypt/argon2. Salt per user.

MFA: password + second factor (TOTP, SMS, hardware key). Dramatically better than password alone.

Authentication methodsPassword + hashargon2/bcryptMFATOTP/hardwareWebAuthnpasswordlessWebAuthn/passkeys are modern standard: phishing-resistant, no shared secrets
Auth factor progression.
Advertisement

How it works end to end

WebAuthn / passkeys: cryptographic keys. Phishing-resistant. No shared secrets. Modern gold standard.

SSO: OAuth 2.0 / OIDC delegate auth to identity provider.

Session management: after auth, secure session cookies. HttpOnly + Secure + SameSite.