This content originally appeared on DEV Community and was authored by Kiran
๐ Every app has a login. But do you know what's happening under the hood?
Here are the most common login mechanisms every developer (and tech enthusiast) should know:
๐ฃ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ-๐๐ฎ๐๐ฒ๐ฑ ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป
The most traditional method โ user provides a username/email and a secret password.
ย ย โข Plain passwords (basic, least secure)
ย ย โข Hashed + salted passwords (bcrypt, Argon2, PBKDF2)
ย ย โข Password managers auto-fill strong, unique passwords๐ ๐๐น๐๐ถ-๐๐ฎ๐ฐ๐๐ผ๐ฟ ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป (๐ ๐๐ / ๐ฎ๐๐)
Combines two or more factors for stronger security:
ย ย โข Something you know โ password, PIN
ย ย โข Something you have โ OTP via SMS, authenticator app (TOTP/HOTP), hardware key
ย ย โข Something you are โ biometrics๐ข๐ง๐ฃ (๐ข๐ป๐ฒ-๐ง๐ถ๐บ๐ฒ ๐ฃ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ)
A temporary, single-use code:
ย ย โข SMS OTP โ code sent via text message
ย ย โข Email OTP โ code sent to email
ย ย โข TOTP โ Time-based (Google Authenticator, Authy)
ย ย โข HOTP โ Counter-based OTPs๐ฃ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ๐น๐ฒ๐๐ ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป
No password involved at all:
ย ย โข Magic links โ click a link sent to your email
ย ย โข Passkeys (WebAuthn/FIDO2) โ cryptographic key stored on device (Touch ID, Face ID, Windows Hello)
ย ย โข Biometrics โ fingerprint, face recognition, iris scan๐ฆ๐ผ๐ฐ๐ถ๐ฎ๐น / ๐๐ฒ๐ฑ๐ฒ๐ฟ๐ฎ๐๐ฒ๐ฑ ๐๐ผ๐ด๐ถ๐ป (๐ข๐๐๐๐ต ๐ฎ.๐ฌ / ๐ข๐ฝ๐ฒ๐ป๐๐ ๐๐ผ๐ป๐ป๐ฒ๐ฐ๐)
Delegate authentication to a trusted third party:
ย ย โข OAuth 2.0 โ authorization framework (Google, GitHub, Facebook login)
ย ย โข OpenID Connect (OIDC) โ identity layer on top of OAuth
ย ย โข SAML โ enterprise SSO (Okta, Azure AD)๐ฆ๐ถ๐ป๐ด๐น๐ฒ ๐ฆ๐ถ๐ด๐ป-๐ข๐ป (๐ฆ๐ฆ๐ข)
Log in once, access multiple apps:
ย ย โข SAML 2.0 โ XML-based, common in enterprise
ย ย โข OIDC-based SSO โ modern, JSON/JWT-based
ย ย โข Kerberos โ used in Windows/Active Directory environments
ย ย โข LDAP โ directory-based authentication๐๐ฒ๐ฟ๐๐ถ๐ณ๐ถ๐ฐ๐ฎ๐๐ฒ-๐๐ฎ๐๐ฒ๐ฑ ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป
Uses digital certificates (PKI):
ย ย โข Client certificates (TLS mutual auth)
ย ย โข Smart cards / CAC cards โ common in government/military
ย ย โข SSH key pairs โ public/private key for server access๐ง๐ผ๐ธ๐ฒ๐ป-๐๐ฎ๐๐ฒ๐ฑ ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป
After login, a token is issued for subsequent requests:
ย ย โข JWT (JSON Web Token) โ stateless, self-contained token
ย ย โข Session tokens โ server stores session, client holds a reference
ย ย โข API keys โ long-lived tokens for service-to-service auth
ย ย โข Bearer tokens โ passed in HTTP headers (used with OAuth)๐๐ถ๐ผ๐บ๐ฒ๐๐ฟ๐ถ๐ฐ ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป
Identity verified by physical traits:
ย ย โข Fingerprint scan
ย ย โข Face recognition
ย ย โข Iris / retina scan
ย ย โข Voice recognition๐ฅ๐ถ๐๐ธ-๐๐ฎ๐๐ฒ๐ฑ / ๐๐ฑ๐ฎ๐ฝ๐๐ถ๐๐ฒ ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป
Dynamically adjusts security level based on context:
ย ย โข Device fingerprinting
ย ย โข IP/geo-location checks
ย ย โข Behavioral analytics (typing speed, mouse movement)
ย ย โข Step-up authentication when risk is detected๐ค๐ฅ ๐๐ผ๐ฑ๐ฒ ๐๐ผ๐ด๐ถ๐ป
User scans a QR code with an already-authenticated device (e.g., WhatsApp Web, WeChat).
๐ก The best login mechanism? The one that balances security AND user experience for your use case.
๐ฃ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ๐ ๐ฎ๐ฟ๐ฒ ๐ฑ๐๐ถ๐ป๐ด. ๐ฃ๐ฎ๐๐๐ธ๐ฒ๐๐ ๐ฎ๐ฟ๐ฒ ๐ฟ๐ถ๐๐ถ๐ป๐ด.
Are you keeping up?
WebSecurity #Authentication #WebDevelopment #CyberSecurity #SoftwareEngineering #TechTips #Developers #100DaysOfCode
This content originally appeared on DEV Community and was authored by Kiran
Kiran | Sciencx (2026-04-23T15:22:05+00:00) ๐๐ผ๐ด๐ถ๐ป ๐ ๐ฒ๐ฐ๐ต๐ฎ๐ป๐ถ๐๐บ๐. Retrieved from https://www.scien.cx/2026/04/23/%f0%9d%97%9f%f0%9d%97%bc%f0%9d%97%b4%f0%9d%97%b6%f0%9d%97%bb-%f0%9d%97%a0%f0%9d%97%b2%f0%9d%97%b0%f0%9d%97%b5%f0%9d%97%ae%f0%9d%97%bb%f0%9d%97%b6%f0%9d%98%80%f0%9d%97%ba%f0%9d%98%80/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.