Application programming interfaces (APIs) handle tremendous amounts of data of diverse types. Accordingly, one of the primary concerns of most data providers is how to secure this data. The idea that data should be unchanged, secret, and that it should be readily available for manipulation is crucial to any discussion of API data handling and management.
In this article, we’ll discuss the differences between Basic Auth and OAuth, which are two major methods of adding security to an API. We’ll discuss the advantages and disadvantages of each approach to authentication and recommend the best approach.
Imagine the data of a user’s account is divided up and physically stored in one of the rooms of their house. One room holds all their contact information, and another room has a box full of signed letterheads.
To show a guest what’s in their house, they’ll need to give them a house key, so any person who has the key will have access to the house and the data at any time. Essentially, this is what Basic Auth or Basic Authentication is but with a user’s credentials, including their username and password, being the key.
Basic Auth only requires a user’s credentials to gain access to their online account. The account user’s credentials are sent from the “every request” application. Although this process is straightforward, it can leave your credentials and, eventually, your online account vulnerable.
Here are a few disadvantages of basic auth:
OAuth is an open-standard authorization framework or protocol. It provides apps with the ability to secure designated access. For example, you can tell Instagram that it's OK for ESPN.com to access your Instagram profile or post updates on your timeline without having to give ESPN your Instagram password. This improves the security of your account significantly because if ESPN suffers a security breach, your Instagram password remains uncompromised.
Unlike Basic Auth, where you have to share your password with people who need to access your user account, OAuth doesn’t share password data. Instead, OAuth uses authorization tokens to verify an identity between consumers and service providers. OAuth is an authentication security solution that enables online users to approve one application interacting with another app on their behalf without the need to give away their passwords.
Your smart home devices, such as a thermostat, security systems, and toasters, use login data to sync with each other, allowing you to administer them from a client device or browser. These devices use what OAuth refers to as confidential authorisation. This means that those smart home devices hold on to secret key information; thus, you don’t have to log in every time you need to access them.
Typically, OAuth is more about authorization than authentication. Authorization involves asking for permission and access rights to do stuff. While authentication is all about proving you’re the correct person because you have the online account credentials.
Again, unlike Basic Auth, OAuth doesn’t share authentication data between consumers and service providers and consumers, but it acts as an authorization protocol in some form.
An OAuth token is like the valet key. As an account user, you can tell consumers what they can use and what they can’t use from every service provider. This way, you can give each consumer a different key, so they never get to have the full key or any of the confidential data that may give them access to the full key.
To ensure better protection of your online accounts, OAuth is the way to go because, unlike Basic Auth, it doesn’t give away your password. That’s because OAuth is more of an authorization framework. This keeps your credentials safe.
Basic Auth, on the other hand, is an authentication protocol, which mainly focuses on proving that you're the correct person because you know things. This can leave your private information vulnerable, especially if your internet connection isn’t secured through TLS or you don’t set up MFA.
For further reading, check out our articles like CIAM Security and Active Directory Account Management Best Practices.