What is API Authentication?
In the classic French thriller “Diva,” a crook mocks a police officer’s badge by saying, “ID? That stands for ‘idiot’s delight.’” The film came out in 1981, the same year as the IBM PC. The sentiment on display was ahead of its time. The bad guy was anticipating the cybersecurity problem of authentication, which is now reaching crisis proportions. System access should only be granted to users who can prove they are who they say they are. This is a foundation of cybersecurity. Otherwise, it’s “idiot’s delight,” and unauthenticated or falsely authenticated users will gain entry into places where they don’t belong.
The issue is all the more pressing when it comes to application programming interfaces (APIs), which often sit in front of vast stores of sensitive information. API authentication is the solution to user authentication. It enables API owners to guard against improper API access from users who cannot verify their identities.
A proven API authentication method
API authentication is a combination of technology and process that proves or verifies the identities of users who want access to an API. Specifically, API authentication involves the use of a software protocol to verify that users are who they claim to be when a client makes an API call. API authentication solutions are usually set up to block access to an API if they detect something wrong with the user’s identity during the API call. It’s online verification of ID, a gatekeeping countermeasure that defends APIs from access by malicious actors. Remember, too, that in many cases, the API user is a machine, not a person.
The importance of API Authentication
API authentication is critical for API security and, more broadly, cyber defense of the entire enterprise. APIs represent points of access to data, which can be valuable or highly sensitive. APIs can also provide access to software functionality. Without API authentication, unknown and untrusted users can get access to the data or functionality the API provides. Risks include data breach, corruption or deletion of data, and denial of service (DoS) attacks.
Done right, API authentication reduces the likelihood of such attacks. It can also mitigate their impact should an attack occur. API authentication also leads to greater user trust. In many use cases, especially those that involve financial information or personal data, users actually like it when API authentication is in effect, even if the process adds extra steps to log in. It makes them feel more confident that their data is being protected.
What are API keys?
An API key is a unique numeric identification code that authenticates an API user. It’s the basic element of API authentication. In particular, a known API user will have an established API key. When requesting access to the API, the user will submit the key to the API security solution. The API security solution will, in turn, either grant or deny access to the API based on the validation of the API key. This process usually occurs without a human user having to take any specific action. Rather, this handshake and key inspection process occur on a machine-to-machine basis, out of view. A first-time API user will have to receive an API key, which usually occurs after the individual’s (or machine’s) identity has been validated by other means.
How does API Authentication work?
API authentication works through the presentation of a credential and/or supporting data points, followed by its acceptance or rejection. The credential can be an API key, a username/password pair, or a digital token. Supporting data points can be information related to the user’s device or location. For example, if a user is based in Boston, but the device using her credentials is located in London, then the user claiming the identity may not be who she says she is. Either the user went to London, or someone is spoofing her device. A good API authentication solution, properly configured, should be able to detect such anomalies and respond to them by blocking the user—at least until further verification steps, like one-time passwords, can be taken.
API authentication vs API authorization
Authentication alone is not enough to ensure API security. After all, authentication only establishes a user’s identity. It does not determine what kind of API access he or she is entitled to have. That is a matter of authorization. It’s like the difference between a key to a building and a key to a room inside that building. The first key gets you in. That’s authentication. The second key lets you into a specific room. That’s authorization. With APIs, authorization is about what level of access the user is entitled to receive.
Types of API authentication methods
There are three popular methods for API authentication:
- HTTP Basic Authentication—Considered the simplest form of API authentication, it only requires users to have a username and password created with Base64 encoding. There are no session IDs or cookies. The method uses the HTTP header, making it quite simple and straightforward. No other solutions are needed.
- API Key Authentication—Created to make up for the weakness of shared credentials, which made HTTP Basic Authentication a deficient approach to authentication. With API key authentication, the API security solution authenticates the API key, at which point the server confirms the user’s identity and allows him to access the API. The API key is sometimes called a 'bearer token'. The rationale is that if you have the token (are the bearer of the token) you can 'talk' to the API.
- OAuth Authentication—Able to handle authorization as well as authentication. The API requests authentication, which takes the form of an OAuth token that is forwarded to an authentication server, which accepts or rejects it. The token has limited allowed uses and often an expiration time.
Pros and cons of popular methods
The popular methods of API authentication have their good and bad points. HTTP Basic Authentication, for example, is simple to use. That’s a big plus. At the same time, the sharing of the username and password pair creates risk exposure, particularly for man-in-the-middle attacks. The process should be protected by a secure socket layer (SSL).
API keys are an improvement over HTTP Basic Authentication. The long keys are usually unguessable. The downside comes from the fact that API keys do not work for authorization. An attacker with an API key is usually able to enjoy unfettered access to all the data and processes represented by the API.
OAuth is considered robust. It’s widely supported and favored for API authentication with mobile applications. The only issues are that OAuth is more complicated to deploy and manage. It requires a dedicated solution, and there are costs to acquire and support the solution.
API authentication is a critical countermeasure to deploy in defending APIs from malicious access. It is a combination of processes and technologies. Three methods of API authentication predominate. Of these, OAuth is viewed as the most effective, though it can be complicated to administer. To work effectively, API authentication needs to be paired with API authorization—ensuring that only verified users can access the data and processes for which they have permission.
How Noname can help
Noname’s API security platform can help you protect your APIs with authentication issues. We test APIs early and often throughout the SDLC, so authentication issues are discovered and remediated sooner rather than later. You can quickly re-test for vulnerabilities previously discovered to confirm the fixes have taken effect. Early testing in pre-production environments can reduce or eliminate threats like broken user authentication issues before they can be exploited.
For APIs in production, we provide runtime protection to monitor and analyze all API traffic. Our platform has an established baseline for many types of APIs, like REST, GraphQL, SOAP, gRPC. By having a baseline for normal API communication methods, our anomaly detection, powered by AI and machine-learning, can pinpoint when an attacker is trying credential stuffing or password spraying against an API. We can also alert you if there are surges of authentication failures – a typical outcome of probes for weak user authentication.
If an attack has been identified, Noname offers a flexible range of ancient response options. This includes integrations with ticketing systems like JIRA or Service Now, which allow Noname alerts to be triaged by your security team. You can also elect a fully automated approach to incident response, which immediately blocks the IP address for predetermined time period. Our platform can de-authenticate a client's access token at the API gateway. APIs without proper authentication are automatically cited as vulnerable.
Lastly, our platform dynamically creates an inventory of all of your APIs. You can catalog your APIs based on hostname, path/URI and HTTP method. Beyond knowing how many APIs you have, you also get insight into the types of sensitive data that traverse your APIs. You can even create custom data types to accommodate business-specific data, and restrict sensitive data in API communications.
For example, a policy to disallow credit card numbers from ever leaving an API could be created. Any policies on data are enforced by the platform's runtime protection including policies around authentication token use.