How to authenticate APIs – HTTP Basic vs HTTP Digest

A comparison of the pros and cons of the three main secure ways of authenticating an API, in plain business terms. We cover:

The answer, as usual, is it depends, but if you can force the server to use SSL, or are creating a private API, then its Basic.

HTTP Basic Access Authentication over SSL

HTTP Basic is a simple form of authentication where:

HTTP Basic doesn’t need to be implemented over SSL, but if you don’t, it isn’t secure at all. So I’m not even going to entertain the idea of using it without.

Pros

Cons

In summary – if you have control of the clients, or can ensure they use SSL, HTTP Basic is a good choice. The slowness of the SSL can be cancelled out by the speed of only making one request.

HTTP Digest Access Authentication

HTTP Digest access authentication is a more complex form of authentication that works as follows:

Pros

Cons

In summary, HTTP Digest is vulnerable to at least 2 methods of hacking, where a server using strong encryption for passwords with HTTP Basic over SSL is not.

If you don’t have control over your clients however they could attempt to perform Basic authentication without SSL, which is much less secure than Digest.

The answer – it depends, but probably HTTP Basic

Ideal:

If you can’t force the server to server the API over SSL, and don’t have control over all the clients being built (i.e. you are creating a public API):

2 Comments

Jayakumar Jayaraman

Very nice article. Many thanks

John

I really appreciate it! Clears up a lot of things!

Leave a comment: