What is basic authentication? Explained in simple terms!

Summary

The technology world is full of jargon and acronyms and funny words. In this Tech Speak series, we try to explain these in simple terms as well as provide additional information if you want to go deeper.

Term: Basic Authentication

AKA: Basic Auth, Basic Access Authentication, HTTP Basic Authentication, Authentication Popup, HTTP Authentication Popup

Oneliner: Basic authentication is a small browser popup that can show up on a web page that requires you to provide a username and password to access the web page.

Short description: Basic authentication is a small browser popup that can show up on a web page that requires you to provide a username and password to access the web page. This is different from login forms on websites where the username and password are from when you registered on the site. Basic auth is not personalized for each user and has only one set of credentials (username and password) that everyone uses. Usually, if you go to a web page and immediately there’s a login popup, that’s basic authentication. But, if you click a login link on the website, that’s using a different type of authentication method.

Example use case: You are a short story writer, and you’ve submitted your story to a website that showcases short stories. The website administrator uploaded your story to the website but put it behind basic authentication so that the general public can’t look at it yet. They want to get your approval before making it public.

The admin gave you the username and password to use for the login popup. You got permission to share the credentials with your friend so they can doublecheck the story as well. You share the username and password over the phone with your friend and they login with the basic authentication popup and read your story. Once you both have reviewed and approved, the admin removes basic authentication from the story and it’s available to the public.

Keep in mind: Most websites don’t use basic authentication. If they have an authenticated area of the website, you would typically create an account on the site and use your username and password to log in. But, there are times when basic auth makes sense.

How does basic authentication work?

Basic auth is a simple authentication method that has been around since 1993. Although it’s not as secure as other authentication methods, it’s the easiest way to add access control to a website. It doesn’t require browser cookies or custom login webforms.

At a high level, basic authentication follows these steps:

1. The user goes to a web page with basic auth configured.
2. The browser requests the web page content from the web server.
3. The web server sends back a special status code that indicates the page requires a basic auth username and password.
4. The browser displays a small popup that has username and password fields on it.
5. The user fills in the username and password in the popup and submits.
6. The browser encodes the username and password and sends the data to the web server.
7. The web server decodes the information and checks the username and password to make sure it matches its data.
8. If the credentials match, the web server sends the web page content.
9. The browser saves the credentials so you don’t have to enter it for every web page.
10. When requesting another web page with the same basic authentication, the browser will send the encoded information it has saved for the web server to check.

One thing to note is that there is no official “logout” mechanism for basic auth. But, there is a hack to workaround this. For example, if you are logged into example.com, you can put this in your browser to “logout”: https://log:out@example.com

This is because you can login using a similar pattern: https://username:password@example.com so you are just logging in with the wrong credentials to “logout”. So, really, you could put anything you want as long as it’s the wrong information, e.g. https://hello:world@example.com!

Are there different types of web authentication?

Yes! Basic authentication is the simplest type of web authentication, but there are many other authentication methods. We won’t go into details or list all the possible methods, but here are a few: 

• Digest Authentication: This is similar to basic authentication but a bit more secure as it “scrambles” the username and password to make it harder to hijack.
• Form-based Authentication: This is the type of authentication you use all the time when you log into the websites you use every day. From online shopping to banking to membership sites, you register a username and password and use this to log in. This access control often adds a “cookie” in your browser so you don’t have to keep logging in for each page.
• Token-based Authentication: After a username and password are entered, the user gets a special “token” and then that token is used behind-the-scenes to authenticate subsequent website requests.
• Two-Factor Authentication (2FA/TFA): This authentication methods add more security on top of other access controls. You probably have used this by getting a text message or email with a code that you have to paste into a website.

How is basic authentication different than the login for a CMS like Drupal or WordPress?

You may use a content management system (CMS) like WordPress or Drupal. These systems have their own authentication methods. By default, you have form-based authentication as described previously. There are ways of adding more authentication methods to CMSs like Drupal or WordPress by using plugins.

You can use basic authentication with a CMS. You can also combine basic auth with other forms of authentication like the standard form-based authentication. It really depends on what you are trying to accomplish.

As mentioned in the example scenario above, one place where basic auth can be helpful is to allow non-logged-in users to access some information that hasn’t been published yet. That is one use case. It might be for a client’s case study that needs approval or a new legal page that the legal team must review.

You might also want to add basic authentication for your CMS website if you use it for editing but your public website is static. For example, you edit at edit.example.com but your website is example.com. Adding basic auth for edit.example.com is a simple way to keep robots out and hopefully hackers as well. But, since basic authentication isn’t as secure as other methods, you should also make sure that each content editor on your CMS site has their own login using a strong password.

Basic authentication resources

Learn more about basic auth and related concepts by checking out these resources:

• Basic access authentication (Wikipedia)
• HTTP authentication (Mozilla)
• Basic authentication scheme (Mozilla)
• The 'Basic' HTTP Authentication Scheme (IETF)
• "Basic Authentication" in Five Minutes [video] (OktaDev)
• Web Authentication Methods Compared (TestDriven Labs)
• The Difference Between HTTP Auth, API Keys, and OAuth (Nordic APIs)
• Understanding Authentication In Websites: A Banking Analogy (Smashing Magazine)

About QuantCDN

Quant is a global static edge; a CDN combined with static web hosting. We provide solutions to help make WordPress and Drupal sites static, as well as support for all popular static site generators.