Is JWT authentication secure enough?
In short:
- The JWT (JSON Web Token) is becoming increasingly popular as an identifier in software development, but there are doubts about its security.
- Proponents claim that JWT's encryption is strong enough to prevent changes, while others are concerned about the risk of abuse and hacking.
- Despite divided opinions, it remains important to ensure JWT's safety, with ongoing monitoring and development to address any weaknesses.
Is JWT authentication secure enough?
The JWT (JSON Web Token) is becoming increasingly popular among developers as an “identifier”: software that allows you to identify and identify yourself. The JWT is a newer technique that makes the experience and authentication faster and more powerful. For us, this token leads to discussions. Especially about the safety of the JWT.
What does a JWT do?
First, a brief explanation of the JWT. You've probably noticed that you can increasingly log into a website or webshop via your Google or Facebook account these days. That's easy, because it means you don't have to create another account. To do this, use a JWT. The website where you want to request an account sends a request to, for example, Google and sends a JWT to the site via an API that connects the website to Google.
A token in three parts
This token consists of three parts. A title, content, and signature. It contains everything the website needs to know to recognize and legitimize your information. After all, logging in is only half the story, it must also be clear what rights the site you want to log in to has. Of course, he is not supposed to be allowed to follow your Facebook account for the rest of your life.
Quick solution
At first glance, a JWT is ideal. It saves time and effort and is highly regarded as a safe alternative. After all, you request the information yourself and give permission for it yourself. In that regard, nothing but a normal login. For programmers, it has the advantage that it is very easy to make. And less time means less money.
Is the JWT safe?
But is it also safe? Opinions are divided about this. In fact, in our workplace, there are sometimes discussions about it. For example, developer Tyrone believes it is not safe, while colleague Joey is convinced of that.
Against
“The problem with the JWT is that with the token, the user himself hands over a package that says, 'This is me and I can do all this on your website, '” explains Tyrone. “This way, you completely relinquish control over the user's identity and rights. As long as the package's signature is valid, we believe everything in the package. At the moment, the JWT is so secure that if changed, the token will automatically become invalid, but history has shown that hackers will be able to find a solution sooner or later. It is a potential gold mine for them to hack JWTs.
In addition, you have the problem that if a JWT token is compromised, you cannot simply deny access. This is because the user still has a valid package from your website with the correct signature. Of course, you can then keep track of all the JWT packages you have issued and add that a package has become invalid, but then you are working on a heavier form: the old Cookies system.”
For
Joey disagrees. “I do believe that the JWT's encryption is in order. It is so well encrypted that it is actually impossible to change the content. Even if someone knows where the token is and wants to change it, that person will not be able to make the appropriate changes to access and validate the content of this token correctly in the application. This is because the content of a JWT is not fixed and is therefore impossible to know or guess. Moreover, the method of encryption is not fixed. Once it appears that the JWT is vulnerable, it is possible to adapt it to a new encryption standard. There is a very superficial risk, but considering the human ability to read or change these keys and compared to the benefits of today's authentication, I think that risk is negligible.”
The last word
Of course, the most important thing is that the JWT is safe for use, for the users and for the companies that use the token. And about safety, the last word has undoubtedly not fallen on that yet. Not with Thesio either. As a team, we are of course constantly working to tackle and solve this, so that all doubts about this are dispelled. In addition, we provide comprehensive logging and monitoring of all applications under Thesio's management, so that we immediately detect and sideline suspicious activity.
Do you want to know more or get advice about using the JWT? Or do you want to know more about its safety? We would love to think along with you!