Every application needs to identify its users. Applications that allow more than a pre-selected set of users (i.e., almost all applications) must authenticate the users, identify the authenticated users, and provide authorized access to content and services. Providing authentication and authorization (authN/Z, often called Auth for brevity) is one of the crucial pillars of any web application.
However, the truth of the matter is that Auth is hard to implement. It is innocent to start with, but as more use cases and security requirements arise, it is notoriously hard to get everything right. Before we dive deeper into why Auth is hard and we recommend avoiding implementing Auth from scratch, let’s discuss some common Auth strategies and user expectations.
Assuming we have a user identifier (e.g., an email or a user name), the three common factors of human authentication are: