Behind every login screen are standardized protocols that manage the exchange of credentials. These are the unsung workhorses.
The server sends a random challenge; the client combines it with the secret (e.g., password hash) and responds. The server recomputes. The secret never travels the wire. Used in some SASL mechanisms (e.g., for SMTP, LDAP). Stronger than plain password transmission. authentication
Authentication is the first and most critical decision point in security. It is a balancing act: strong enough to resist determined attackers, yet frictionless enough that users don't subvert it. The trajectory is clear: passwords as the primary factor are ending. The future belongs to —passkeys and WebAuthn—augmented by risk-based continuous checks. Behind every login screen are standardized protocols that
A Review on Secure Authentication Mechanisms for Mobile Security The server recomputes
After login, the server issues a signed session ID (cookie). The browser sends it with each request. Stateless on the client, but the server must store session state. Vulnerable to session hijacking if cookies are not HttpOnly , Secure , and SameSite .
| Attack | Mechanism | Mitigation | | :--- | :--- | :--- | | | Fake login page steals credentials | WebAuthn, password managers (they won't auto-fill wrong domain), user training | | Credential Stuffing | Automated login using breached username/password pairs | Block known-breached passwords, rate-limit, require MFA | | Man-in-the-Middle (MITM) | Attacker intercepts or proxies traffic | TLS everywhere, certificate pinning, mutual TLS | | Session Hijacking | Steals session cookie after login | Short session lifetimes, rotate session IDs, bind session to IP/device fingerprint | | Pass-the-Hash (Windows) | Attacker uses NTLM hash without cracking | Disable NTLM, use Kerberos with armour, Credential Guard | | Biometric Spoofing | Fake fingerprint, photo of face | Liveness detection (blink, movement, heat), multi-modal fusion | | MFA Fatigue | User approves a push they didn't trigger | Require number matching or transaction-specific confirmation |