Authentication remains a complicated yet critical aspect of application security. In this talk, I'll demystify the core concepts, diving into access tokens, refresh tokens, and browser security mechanisms like WebAuthn for hardware-based authentication. Additionally, I'll explore techniques such as session handling, revocation strategies, silent authentication for improved security UX, and the usage scopes for controlling access granularity, and common pitfalls associated with each.
Finally, I'll delve into JSON Web Tokens (JWTs), the use of EdDSA signatures for enhanced security and performance, as well as the common pitfalls that seasoned pro and newcomer alike struggle with when it comes to auth. Here I hope to equip everyone with some additional knowledge to navigate its complexities and build secure, user-friendly systems.
- Slides: Presentation Slides
- Conference: Tech Internals Conf 2025 - Berlin
- Talk Transcript: What the @#!? is Auth
For help understanding this article or how you can implement improved reliability or a similar architecture in your services, feel free to reach out to the Authress development team or follow along in the Authress documentation.