Authentication Tokens vs. Passwords: How They Work and What Makes Them Different

By Owen PatelCryptography Tutorial

Anonymous Guide: How Authentication Tokens Work and How They Differ from Passwords

We’re surrounded by passwords, one-time codes, keys, and tokens, but we don’t always realize it. Every minute, these tools keep our accounts and data secure. However, it’s important to understand how the most basic information protection mechanisms work. One of these is authentication tokens, which enhance data security while keeping services easy to use.

Anonymous Guide
Articles in this series are published for free and available to everyone. We believe everyone has the right to basic knowledge about protecting their data. (Xakep.ru)

Other articles in the series:

  • Theory and Practice of Email Encryption
  • Types of Encryption and Traffic Protection, Choosing Software
  • How to Encrypt Jabber Chats: Step-by-Step Guide
  • Creating a Spy USB Drive with the Secure Tails OS

If you find these materials basic, great! But you’ll do a good deed by sharing them with friends, family, and acquaintances who are less tech-savvy.

Signing Data

Both people and programs need to know that data was created by a trusted source and hasn’t been altered. That’s why the technology of generating a special hash (signature) was invented, confirming the integrity of information and the authenticity of its sender/creator. Creating this signature involves several steps designed to protect data from forgery.

HMAC Generation Scheme
HMAC (hash-based message authentication code) generation scheme

The hashing algorithm can vary, but the core idea is simple and consistent: to confirm the integrity of a message, you need to generate the signature for the protected data again and compare it to the existing signature.

Creating Access Codes

The inventors of two-factor authentication probably followed the principle “two heads are better than one.” And it’s true—two passwords are definitely safer than one. But passwords sent by a website via SMS aren’t completely secure: messages can often be intercepted. Authentication apps, on the other hand, are designed to fully protect the login process. Let’s take a closer look at how they work.

Creating secure one-time passwords involves two steps:

  1. Initial setup—enabling two-factor authentication.
  2. Using the password—entering the code and submitting it for verification.

With this setup, users can generate codes using an app on any device, following all security standards.

The initial setup involves exchanging a secret key between the server and the authentication app. This secret key is then used on the client device to sign data known to both the server and the client. This key is the main proof of the user’s identity when entering a password on the server.

In reality, the secret is just a sequence of random characters encoded in Base32 format. It’s at least 128 bits long, and often up to 190 bits. Users see this sequence as text or a QR code.

QR Code for Secret Exchange
This is what a QR code for secret exchange looks like

How does the app generate one-time codes? It’s simple: the app uses the key to hash a value (usually a number), takes a specific part of the resulting hash, and displays it as a six- or eight-digit number. Originally, this number was based on a simple login counter. The server tracked how many times you logged in, and the app knew how many times you requested a one-time password. This value was used to create each new code. Modern apps use the current time instead, which is much more convenient for users: login counters often got out of sync and had to be reset.

Let’s try calculating an authorization code ourselves. Suppose you want to post a photo of a beautiful New Year’s firework right at midnight, which means you need a one-time password to log in. Take the New Year’s time in UNIX format (1577811600000) and calculate the code’s sequence number: divide by 30 seconds—52593720. Use your secret to compute the hash—according to RFC 6238, this is the SHA-1 function:

$ echo -n '52593720' | openssl sha1 -hmac 'QWERTYUI12345678'
e818e7f3efcb625658c603b08b12522f1e4d160a

Don’t forget the -n argument for echo to avoid an unwanted newline, or the hash will be different.

Now, take the last four bits of the hash (the offset), which is a or 10. At this offset, you’ll find your code in bytes—03b08b12 = 61901586. Keep only the last six digits, and you get your new one-time code: 901586.

Logging into an App

No modern app asks for your password constantly, since that would annoy users. That’s why developers and cryptographers invented tokens, which can replace the login-password pair. The goal wasn’t just to hide information, but to create a standard for storing and verifying it. This led to the creation of JSON Web Token (JWT) technology.

How Does JWT Work?

If you have data whose authenticity needs to be confirmed, you sign it with a secret key using HMAC. The hashing method is the same as for one-time passwords, but instead of six digits, you use the entire hash. The only difference is the hashing algorithm: SHA-1 is considered too short and insecure for tokens, so SHA-256 is usually used.

The main purpose of JWT is to confirm the identity of the token’s creator and the associated data. Typically, the token contains a username or another user identifier.

Let’s create a token. Continuing our New Year’s photo story: you entered a one-time password, the server confirmed your identity, and now wants to issue a token so you can access the app.

Any token consists of three parts: a header with service information, the data, and the signature. Since SHA-256 is the security standard, we’ll specify it in the header:

{
  "alg": "HS256"
}

The token’s payload will store the account ID you just logged into:

{
  "user_id": 123456
}

Encode the header and payload in Base64 and join them with a dot. This allows safe data transfer over HTTP: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjogMTIzNDU2fQ. Now, knowing both the data and the header, you can compute the hash using your password—QWERTYUI12345678:

$ echo -n 'eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjogMTIzNDU2fQ' | openssl sha256 -hmac 'QWERTYUI12345678'
e0a6b48a961ee3fc7eb38afcdb1a8ef22efb0572e1d5333b85db2aa66919e98e

Convert this hash to Base64 and append it to the header and payload string: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjogMTIzNDU2fQ.4Ka0ipYe4/x-s4r82xqO8i77BXLh1TM7hdsqpmkZ6Y4—and that’s your token. You’re good to go!

The Same Secret, Just as Text
The same secret, just as text

Conclusion

Now you know what happens every day when you open your browser and log into a web service. By understanding how this works, you can better protect your data—and maybe even use some of these methods in your own projects.

Leave a Reply