API authentication is about proving that whoever is trying to access an API is who they say they are. This is sometimes confused with authorization which is about proving that whoever is trying to access data via the API has the right to access that data. In this article we’ll discuss the main API authentication methods (HTTP basic authentication, API Keys and OAuth2) and whether they provide sufficient protection for your APIs.
An API authentication protocol verifies the identity of the client attempting to access a backend system. Authenticating the client is often interpreted as authenticating the user but, as we’ll see, that can be misleading.
How are APIs authenticated?
HTTP basic authentication involves simply transmitting the username and password with the API request and as such is insecure and not recommended as an authentication method. APIs secured with this method are vulnerable to attack, in particular, from a Man-in-the-Middle (MitM) attack where a threat actor intercepts API communications in order to monitor and exploit traffic requests.
API keys were largely adopted to overcome security issues with solutions like HTTP basic authentication. However, even with the implementation of Transport Layer Security (TLS) for end to end encryption of API communications, API keys are vulnerable to abuse as they can be accidentally exposed through insecure coding or stolen through reverse engineering of the app or a Man-in-the-Middle attack. Once in the hands of a threat actor, API keys can be used for exploits such as credential stuffing, automated account creation, account takeover or Distributed Denial of Service (DDoS).
OAuth2 is an open authorization framework for secure access delegation. User authorization is delegated to an authorization service through an access token which will have a lifetime of anywhere between a few hours and a few weeks. Therefore there is a risk of access tokens being stolen and reused by scripts/bots. While the OAuth2 flow allows you to authenticate and authorize who is trying to access your backend APIs, you also need to be able to identify what is making that request. Is it a bot or script? Is it an attacker using an instrumentation framework? Has your mobile app been cloned or manipulated?
A second independent factor is needed to authenticate the app as well as the user, while at the same time providing additional protection of the OAuth2 access token.
Approov Mobile App Protection uses short lived cryptographic tokens to attest the authenticity of your app to backend APIs and services. All API communications are protected from malicious observation or interference, ensuring that only your official mobile app operating in an untampered environment can access your API. Potentially unsafe mobile device environments such as rooting/jailbreaking and hooking frameworks are detected and bots, scripts and cloned apps are blocked at the edge.