Why it matters
Authentication is where most breaches start. Getting it right protects everything downstream.
Advertisement
The architecture
Password: verify hash matches. Use bcrypt/argon2. Salt per user.
MFA: password + second factor (TOTP, SMS, hardware key). Dramatically better than password alone.
Advertisement
How it works end to end
WebAuthn / passkeys: cryptographic keys. Phishing-resistant. No shared secrets. Modern gold standard.
SSO: OAuth 2.0 / OIDC delegate auth to identity provider.
Session management: after auth, secure session cookies. HttpOnly + Secure + SameSite.