Authentication / OAuth
Authentication verifies a user's identity. OAuth 2.0 enables secure third-party access; MFA adds security through multiple factors.
Secure authentication is the foundation of every web application and API. In a world of growing cyber attacks, simple passwords are no longer enough. Modern auth combines protocols like OAuth 2.0, OpenID Connect and SAML with multi-factor authentication to identify users and protect data.
What is Authentication / OAuth?
Authentication (AuthN) is the process of verifying identity: who is the user? This is usually done by something you know (password), have (phone, security key) or are (fingerprint, face). Authorization (AuthZ) follows: what may the user do? OAuth 2.0 is an open protocol for delegated authorization – it lets an application access resources on behalf of a user without knowing the password. OpenID Connect builds on OAuth 2.0 and adds an authentication layer.
How does Authentication / OAuth work?
With OAuth 2.0 the application redirects the user to an identity provider (e.g. Google, Azure AD). The user signs in and grants consent. The provider returns an authorization code to the app. The app exchanges it for an access token (short-lived, for API calls) and a refresh token (long-lived, to renew the access token). The access token is sent with each API request and verified by the server. JWTs are a common token format carrying signed claims (user ID, roles, expiry).
Practical Examples
Social login: Users sign in with Google, Microsoft or Apple without creating a new account – OAuth 2.0 in action.
MFA in online banking: After the password a second factor is required – TAN via SMS, push in the banking app or FIDO2 security key.
Enterprise SSO: Staff sign in once with Azure AD and access all connected apps (Office 365, Slack, Jira) without logging in again.
API auth: A mobile app backend authenticates users with JWT – each request is validated without a database lookup for the session.
Passkeys (FIDO2): Passwordless auth via biometrics or security key – more secure and convenient than passwords.
Typical Use Cases
Web apps: Login with password, social login and optional two-factor authentication
API security: Token-based auth for REST and GraphQL APIs
Enterprise SSO: Central identity management for all business applications
Mobile apps: Biometric auth (Face ID, fingerprint) with server-side token validation
IoT: Certificate-based auth for machine-to-machine communication
Advantages and Disadvantages
Advantages
- OAuth 2.0 avoids sharing passwords with third-party applications
- SSO reduces password fatigue and improves satisfaction
- MFA can reduce risk of compromised accounts by over 99% (e.g. Microsoft)
- Standardised protocols (OAuth, OIDC, SAML) ensure interoperability
- Passkeys remove phishing risk entirely
Disadvantages
- Complexity: OAuth 2.0 has many flows and options that can be error-prone
- Dependence on identity provider for social login (terms can change)
- Token handling must be done carefully (expiry, refresh, revocation)
- MFA can hurt UX if implemented poorly
Frequently Asked Questions about Authentication / OAuth
What is the difference between authentication and authorization?
Are passkeys safer than passwords?
How do I implement OAuth 2.0 correctly?
Related Terms
Want to use Authentication / OAuth in your project?
We are happy to advise you on Authentication / OAuth and find the optimal solution for your requirements. Benefit from our experience across over 200 projects.