API Security – How do you authenticate and authorize?

Authenticate and Authorize

Mobile apps have filled many gaps that traditional software has failed to. Besides, business challenges themselves are getting granular and user-centric, and as a result, today, app purchases sound far more practical than software licenses do. This extends from booking business travel tickets to ‘DM’ing clients to keep them updated at all times.

The app economy, however, owes its success to “Application Programming Interface” (API)
In simple words, API establishes a connection between two applications.

Let’s use an example to understand API better:
Say, you want to purchase CRM software for your marketing team. You have an option of buying the software through PayPal. Here, the API establishes a connection between your bank’s website servers and PayPal, allowing you to make a payment.

While this was a simple use-case of API, it has become an integral part of today’s technology-first world.
Home automation – the most exciting innovation of our times, is also driven by API.

API is great! But, is it 100% secure?

API is a game-changer. However, API and its access to the database means that there are chances of a data breach.
The best example would be, Facebook–Cambridge Analytica data scandal after Cambridge Analytica found a loophole in Facebook’s API infrastructure.
Here’s what happened – Cambridge Analytica, a UK based data analytical company, helps political campaigns reach the voters online. Aleksandr Kogan, a lecturer at the University of Cambridge, developed an app – “thisisyourdigitallife” and this application asked users to log in to the app through their Facebook profile – this was possible because of API. The app then got access to 50 million users’ data, and the count eventually scaled up to about 87 million!

Nevertheless, Cambridge Analytica did get access to the data legitimately – as integrating Applications to services via API is relatively common. But, it’s the loophole in Facebook’s API that allowed the application to access all the data

This incident certainly throws light on securing the APIs. Most of the times, millions of customer records are exposed because of poorly secured APIs, so this clearly defines the need for authenticating and authorizing the API efficiently.

So, let’s understand some popular ways to authenticate and authorize the APIs.

Ways to authenticate and authorize API

Typically, there are three common methods to authenticate and authorize the API – Basic Auth, API Keys, and OAuth

1. Basic Auth: You only need a username and a password to authenticate the identity. The credentials are base64-encoded, and it is incredibly easy to decode them. Basic Auth mostly uses security mechanisms such as HTTP or SSL. But the security here is bare minimal as the HTTP is not encrypted, the header can be easily copied to a malicious packet, and SSL slows down the response time.

2. API Keys: A string of unique alphanumerical characters, known as the ‘API key’ is assigned to the first-time user, establishing the user’s identity. The user then must use his API key to get access. Using API keys is an industry-standard because the authentication happens quickly. However, security is still not guaranteed here because there are the chances of the data being exposed as a result of stolen API key.

3. OAuth: In a broader sense, OAuth includes both authentication and authorization. When a user logs in to a system which requests for a token, the request is forwarded to an authentication server which allows or rejects the authentication – performing the function of authorization.
For instance, if you book a cab on Uber, you will receive a message “Allow uber to access your location” and only when you grant the permission, Uber takes the details of your location.

Usually, OAuth 2.0 that uses OpenID Connect – a layer of authentication framework is considered a holistic measure to secure the API as it provides the user with restricted access to the system without sharing their credentials.

Therefore, authentication means validating identity and authorization means verifying the privilege of the user – either of the processes alone cannot guarantee optimal security to the API.
So, when you put both Authentication and Authorization strategies in place, you will take a significant step in securing the API.

Drop-in a line at inquiry@ilantus.com and let us know what you think is the best way to secure API.

Leave a comment

You must be logged in to post a comment.