Authentication is the process of proving that a user, application, or system is who they claim to be. On the web, authentication usually happens when someone logs in with a username and password or signs in via an identity provider. Once the system verifies the credentials, it issues a session or token so the user does not need to log in on every request. Authentication is different from authorization, which decides what an authenticated user is allowed to do. Strong authentication is a core part of application security because it prevents attackers from impersonating real users. Modern systems often support multiple authentication methods, such as passwords, magic links, social login, or OAuth based flows. Poorly implemented authentication can expose vulnerabilities such as account takeover or credential stuffing attacks.
how it works
When a user submits credentials, the system usually compares the provided secret to a stored one that has been protected with password hashing. If the check succeeds, the server creates a session record or signs a JWT containing the user identifier and maybe some metadata. The session id or token is then sent back to the client, often stored in a cookie or header on subsequent requests. Middleware on the server checks each incoming request for a valid session or token and attaches the user identity to the request context. From there, authorization logic decides whether the operation is allowed for that user. For sensitive systems, multi factor or two factor authentication adds extra steps such as codes from an app or hardware keys.