What are JSON Web Tokens (JWTs), and how do they work?

As cybersecurity experts search for new ways to increase privacy online, JWTs have become one of the powerful tools for authentication.

Jun 14, 2022

When a user is online, one of the most crucial moments during their "journey" is the authentication - that moment (or millions of moments) when they reach for data or access and have their identity, and clearance, confirmed.

It is a magical moment - if only for its possibilities. Ensuring the safety of this millisecond is essential because it is also a self-evident choice for hackers to try and interfere. Reach the user just as they authenticate themselves and get access with them. Or fake the authentication process and you have access just as if you had the required permissions, even though you don't.

 

What is a JWT, then?

The JWTs, or the JSON Web Tokens, are the most common way to identify an authenticated user. Through trial, error and constant development by analysing the (almost) unavoidable trade-off between speed and safety, many cybersec representatives chose to go with JWT - an open industry standard that is now used to share information between the client and a server.

 

READ ALSO: What are the differences between encryption, salting and hashing?

 

These tokens contain JSON objects that hold the information that needs to be shared. They are signed using hashing to ensure that the contents are not altered. 

When you use your social media account to sign in to a website, for example, the social media platform issues a JWT token containing specific information and uses hashing to protect your data. The website that you want to sign in to then uses the issued information and can know who the end-user is - even if your data is not open and exposed.

The token is a placeholder for your sensitive information, protecting it. The system also uses hashing to ensure that nothing was changed. In other words, JWTs are good to protect your data as a user and, at the same time, ensure that you are really you.

 

READ ALSO: What is the difference between encryption, tokenisation, and masking?

 

What makes it perfect for authentication purposes?

This method is secure and has the advantage of being stored only on the client, which saves database space. It is also efficient since it's quick to verify a JWT, making it particularly useful when dealing with large systems.

 

What are the disadvantages?

The main drawback with JWT is that its creation depends on one single secret key. This makes it vulnerable because if that key is compromised, the criminal can make their own JWT - and it will be accepted. They can literally recreate any user's identity.

 

READ ALSO: Simple ways of implementing and maintaining data security in your company

 

Cybersecurity experts worldwide search for ways to make it safer for users to get authenticated and then access our sensitive data or websites. Despite not being perfect, JWT is still one of the best tools for mass authentication systems.

The good news is that there are ways to protect the key and, therefore, your system. A simple and yet powerful measure is to change the secret key periodically.