Basic Authentication Process
Basic Authentication is a challenge-response authentication mechanism; where the server challenge a client to provide authentication information. Keep in mind that usernames and passwords and transmitted in cleartext (Base64) across the network with each request. Unfortunately, Basic Authentication is susceptible to attacks and does not support Multi-Factor Authentication.
During this process, a mutual secret must be established between the client and the server. The “mutual secret”, in this case, is the user credentials. If the user sends its credentials, and these credentials match what the server has in its Database, we have established a mutual secret and the server has proof that you are who you say you are.
General issues with Basic authentication:
- Credentials are not encrypted.
- If the server is compromised, the attacker will have access to all stored credentials.
- Credentials are sent in every request.
General process:
- The client sends an anonymous request to the Server. The first request is always anonymous because the client has no way of knowing that the server requires authentication.
- The Server replies with a 401 and adds a response header with the authentication method it supports and a realm (WWW-Authenticate: Basic realm=”WallyWorld”).
- This instructs the Browser to deliver a pop-up for the end user to submit their credentials.
- The end user submits credentials.
- The credentials are transmitted in clear text across the wire. Credentials are not encrypted, they are just Base64 encoded.
- The Server receives the credentials and compares them with the stored credentials it has in its Database.
- If it matches, it grants access, if not, it will send back a 401.
Read more at https://jenkins96.github.io/2024-04-11-Basic-Authentication/