Skip to main content

What is Authentication

Before we can talk about how Dashify protects accounts, we have to be clear about what authentication even means. This is the page where we slow down and define the word.

A definition you can keep

Authentication is the act of proving you are who you say you are.

That is the whole sentence. Everything else, passwords, two factor codes, passkeys, single sign on, sessions, tokens, is just a different way of executing that sentence.

When you walk up to airport security and hand over your passport, you are authenticating. The passport is evidence. The officer compares your face to the photo and decides whether the evidence is convincing.

When you log into Dashify, you are doing the same thing. You hand the platform some evidence (an email and a password, plus maybe a six-digit code from your phone, plus maybe a fingerprint from your laptop). The platform compares the evidence to what it has on file and decides whether it is convincing.

If yes, the platform issues you a session, a small piece of paper that says "this person was authenticated at this time", and from then on, instead of re-presenting your evidence on every request, you just show the session paper. Until the paper expires, or until something looks suspicious.

The three classic factors

There are exactly three kinds of evidence you can use to authenticate. They have names that have not changed in fifty years.

FactorPlain EnglishExamples
Something you knowA secret only you knowPassword, PIN
Something you haveA physical thing only you possessYour phone, a hardware key, an authenticator app
Something you areA biological feature only you haveFingerprint, face, voice

Authenticating with one of those is single-factor. With two of them, two-factor. With three, you have somewhere along the way become a spy.

A password alone is single-factor. It is the weakest serious form of authentication because passwords are easy to leak, easy to guess, and easy to reuse across sites.

Adding a six-digit code from an authenticator app is two factor: now an attacker who steals your password still cannot log in, because they don't have your phone.

Replacing your password with a passkey on your device's secure enclave can be both "something you have" (the device) and "something you are" (the fingerprint that unlocks the device). That is also two factor, packaged into one tap.

Why it matters

Almost every breach you have ever read about began with a failed authentication. An employee's password was leaked in a totally unrelated breach, the attacker tried it on the company's VPN, the company had no second factor, the attacker was in.

Authentication is the moat. A weak moat means everything inside the castle is exposed. A strong moat, passwords salted and hashed, two factor required, sessions short lived, suspicious behaviour flagged, makes the inside of the castle dramatically less interesting to attack.

Dashify makes a serious attempt to be a strong moat. The pages that follow explain every brick of it.

The journey from "you typed a password" to "you can use the app"

That diagram is the whole login flow at a glance. The next eleven pages each take one piece of it and explain what is actually happening.

What you will learn next

  • AuthN vs AuthZ, the difference between proving who you are and being allowed to do something.
  • How a User Logs In, the full step-by-step, with every check and every header.
  • Sessions & httpOnly Cookies, what the "session paper" actually looks like and why it lives in a cookie.
  • JWTs, a different way to do sessions that some teams prefer, what they are, and where Dashify uses them.
  • Argon2, how passwords are stored so even a compromised database does not leak them.
  • Two-Factor, Passkeys, SSO, SCIM, API tokens, the modern authentication menu.

Read them in order if you are new to the topic. Skip around if you already know the basics.

Key takeaways

  • Authentication is proving you are who you say you are.
  • There are three factors of evidence: something you know, have, or are.
  • More factors = stronger authentication.
  • Once you have authenticated, the platform issues a session so you don't have to re-prove yourself on every click.
  • Most security breaches begin at the authentication layer, making it strong is non-negotiable.
Last updated on