Passwordless authentication for end users is taking the world by storm, offering organizations and individuals alike unprecedented security, user experience, and efficiency benefits. By all indications, the next generation of authentication for end users has finally arrived, sending the password the way of the dodo.
Although they don’t get anywhere near the same hype, advanced authentication strategies for APIs are as critical as passwordless authentication for end-users. Poorly architected and broken authentication for APIs present a considerable risk to the organizations that use them, serving as a potential entry point for attackers to wreak havoc on IT infrastructure.
With this fact in mind, let’s explore some of the existing advanced authentication strategies for API security, the benefits they can bring, and what’s next for API authentication.
Passwordless Authentication? API Authentication Did It First!
Amidst all the buzz surrounding passwordless authentication for end users, it can be easy to miss that it wouldn’t be possible without APIs leading the way. With passwordless authentication, the device acts as a secure store for cryptographic keys, which are then used to authenticate the user via APIs. Essentially, end-user passwordless authentication methods are really built on APIs. – they rely on protocols like OAuth or OpenID to verify identities without needing a password.
End-user and API authentication differ in their methods in that API authentication works from machine to machine, ensuring the integrity of devices and services talking to each other rather than users to applications. The underlying principles, however, remain the same – API-based authentication like OAuth is the backbone.
Moving Beyond Legacy API Authentication
Basic authentication – which involves sending a username and password encoded in base64 in the header – is, thankfully, rarely used in modern APIs. Static API keys, however, are disconcertingly common. Static APIs have issues with rotation and revocation. If an API is compromised, organizations typically struggle to replace it quickly (which is why Wallarm has a feature to block compromised API keys). To overcome these issues, it’s essential to use JSON Web Tokens (JWT) and OAuth for authentication, which are more secure than basic authentication and static API keys
However, businesses must consider that, if not implemented correctly, these technologies can introduce additional security issues. Wallarm’s Q2 2024 API ThreatStats™ Report revealed, for example, a vulnerability in the Veeam Recovery Orchestrator, where a hard-coded JWT secret exposed a critical flaw, enabling attackers to forge tokens and gain unauthorized access. The same report also highlighted an authentication bypass vulnerability in Lua-Resty and a JWT bomb attack in Python-jose that exploited the decode function to cause denial of service.
For critical infrastructure and industrial-grade APIs, it’s best to use Mutual TLS Authentication (mTLS). While TLS primarily focuses on the server authenticating itself to the client (ensuring the client is connecting to the correct server), mTLS extends this security by requiring the client to authenticate itself to the server as well. This mutual authentication ensures that both parties in the communication are who they claim to be. Again, though, mTLS can be challenging to implement and can introduce vulnerabilities that enable header forging attacks if not properly implemented.
Balancing Security with Efficiency
Many organizations struggle to balance robust API security with the need for seamless developer experiences and rapid integration. The problem is that many companies treat API security as something different from their broader AppSec programs. Wallarm, however, takes a different approach.
We treat API security as an extension of AppSec, incorporating a comprehensive set of security controls to ensure robust API security consistent with the application standards. This unified approach helps address the tension between maintaining robust security and enabling seamless developer experiences.
Managing and Enforcing API Authentication Policies
Another problem many businesses encounter regarding API security is effectively managing and enforcing authentication policies across microservice architectures and increasingly complex API ecosystems.
In an ideal world, companies would use API gateways to manage their APIs. Unfortunately, this often isn’t feasible as many APIs were developed long ago and rely on legacy systems like Enterprise Service buses.
Gartner predicted late last year that by 2025, half of all enterprise APIs will be unmanaged. With 2025 looming, that prediction seems likely to come good. That’s why Wallarm provides unified security solutions for both managed and unmanaged APIs, as well as traditional applications. Doing so, we help organizations ensure consistent security measures across their diverse and evolving API ecosystems.
Authentication Won’t Solve All Your Access Control Issues
It’s important to remember that authentication mechanisms merely verify a user’s identity; they won’t determine what that user is allowed to do. You need access controls for that. Failing to implement proper access controls can lead to issues like API abuse, where legitimate users exploit their access to consume more resources or data than intended.
For example, even with authentication in place, a user can still cause significant damage by making many API requests (e.g., 100 requests per second with a batch limit), which could lead to massive data extraction in a very short time.
Organizations must strengthen their API security posture not just by moving away from passwords, but by implementing comprehensive access controls, rate limiting, and monitoring to detect and prevent API abuse. Wallarm can do that for you.
Looking Ahead
Here at Wallarm, we hope API access control and other security measures like hardening and data input validation will soon be standardized at the OpenAPI specification level. In other words, these security features should be an integral part of the API design process and a mandatory requirement for publishing any enterprise APIs. This approach would ensure consistency and strengthen the security of APIs across the board.
Unfortunately, however, it’s clear that OpenAPI is not yet fully equipped to handle this level of security standardization. It will take considerable effort from the community to develop and implement these features effectively in OpenAPI. That said, OpenAPI is making good progress, incorporating more security features to move towards a future for API security that is more robust, standardized, and built into the API development process from the start.
How Wallarm Can Help
Wallarm provides the most comprehensive protection for APIs. Enterprise Security, Application, and DevOps teams choose Wallarm to discover APIs running in their environment and detect and respond to threats against APIs and applications in real time. Book a product tour today to find out more about what we can do for your organization.