Okta today launched an open source library for using Platform-Agnostic Security Tokens (PASETO) as an alternative to JSON Web Tokens (JWT) to authenticate end users.
Randall Degges, head of evangelism for Okta, said PASETO is quickly emerging as an easier, more secure implementation of the JWT specification. PASETO is a draft specification created by Scott Arciszewski that reduces the scope of the Javascript Object Signing and Encryption (JOSE) family of specifications in a way that makes it easier for developers to embrace tokens to secure application access.
Okta is trying to make it easy for developers to employ PASETO using a library written in Java, dubbed JPASETO, that has half the lines of code JWT token written in Java and is supported by a vendor, he said.
While JWT tokens have been widely adopted, they are easy to misconfigure, which Degges noted has resulted in the recent discovery of many JWT vulnerabilities. Part of the fault for those vulnerabilities lies with the JWT specification itself, he added; JWTs support a wide range of cryptographic algorithms, including an option that employs no cryptography at all.
In contrast, Degges said PASETOs are more cryptographically resilient and far easier to employ. The PASETO specification defines two types of tokens: local and public. Local tokens are always symmetrically encrypted with a shared secret key, which means no one can view the contents of a local PASETO unless they have the correct secret key. Public tokens are readable by anyone and are validated with a public key. There is no “none” option; there can’t be a security token that is not encrypted, he said.
All PASETO formats are designed to be tamper-proof. The entire message is authenticated, so validation will fail if anything in the token changes, added Degges.
That approach ensures higher levels of application security while at the same time aiding in the adoption of best DevSecOps practices using Okta’s JPASETO library, which can be incorporated easily into the application development process, he noted.
In recent years software tokens such as JWT have gained traction as a way to implement two-factor authentication in place of creating a session in the server and returning a cookie. When a user successfully logs in using their credentials, a JSON Web Token is returned and must be saved locally.
Software tokens, however, can still be vulnerable to attacks that either duplicate the underlying cryptographic software or phishing attacks that trick end users into giving up a password. There is no such thing as perfect security; however, software tokens provide a critical layer of security that should be employed much more widely.
It’s not clear to what degree PASETO will further that goal. Many organizations may even mandate the use of either JWT or PASETO as part of their overall approach to DevSecOps. Regardless of approach, it’s clear that continuing to rely on sessions and cookies to authenticate end users is an antiquated approach to authentication that is not only more difficult to implement and manage but also ultimately less secure.
FAQs
Key Differences between Paseto and JWT
Unlike JSON Web Tokens (JWT), which gives developers more than enough rope with which to hang themselves, Paseto only allows secure operations. JWT gives you "algorithm agility", Paseto gives you "versioned protocols".
What are alternatives to JWT tokens? ›
OAuth2, Passport, Spring Security, JavaScript, and Git are the most popular alternatives and competitors to JSON Web Token.
What is the difference between Paseto v1 and v2? ›
PASETO Token Structure
The current versions are "v1," "v2," "v3," and "v4." v1 : Utilizes strong cryptographic primitives that are widely available today. v2 : Utilizes newer and stronger cryptographic primitives, but is supported by fewer cryptographic libraries.
What is the Paseto token format? ›
The PASETO Format
There are two types (or "purposes") of PASETO tokens: local and public. Local tokens are encrypted with a shared key, whereas public tokens are signed with a public key pair, but NOT encrypted. In other words, anyone can read a public token, and only parties with the secret key can read local tokens.
What is better than JWT authentication? ›
OAuth uses both client-side and server-side storage while JWT must use only client-side storage. JWT has limited scope and use cases. OAuth is highly flexible and can be easily used in a wide range of situations.
Why use JWT instead of token? ›
There are benefits to using JWTs when compared to simple web tokens (SWTs) and SAML tokens. More compact: JSON is less verbose than XML, so when it is encoded, a JWT is smaller than a SAML token. This makes JWT a good choice to be passed in HTML and HTTP environments.
What are the disadvantages of JWT token? ›
One of the most significant weaknesses of JWTs is their lack of encryption. JWTs are designed to be compact and self-contained, which means that the data within them is not encrypted. While they can be signed to ensure data integrity, sensitive information within a JWT remains exposed in plaintext.
What is the difference between JWT and OAuth? ›
While OAuth provides a flexible authorization framework, JWT offers a compact way to represent user information securely. Combined, they form a potent combination for securing web applications, providing strong authentication and fine-grained access control.
Is JWT good for authentication or authorization? ›
JWT authorization is a stateless mechanism for authentication and authorization that eliminates the need for sessions and cookies. It provides a secure means of transmitting information, because a JWT is digitally signed using a secret key known only to the server.
What is the difference between Paseto local and public? ›
Local tokens are encrypted, but require the same key for encryption and decryption. Public tokens are not encrypted, meaning that anyone can read their contents, however they can be verified using a public key. This allows a party to verify a public token without having the ability to create a valid token.
local tokens, and has a length of 256 bits (32 bytes). See Algorithm Lucidity for more information.
What is the full form of Paseto? ›
No Way JOSE!
Scott went a step further and designed a safer alternative: PASETO (Platform-Agnostic SEcurity TOkens), which is currently implemented in 10 programming languages.
What are the three parts of a JSON Web token? ›
Anatomy of a JWT
Figure 1 shows that a JWT consists of three parts: a header, payload, and signature. The header typically consists of two parts: the type of the token, which is JWT, and the algorithm that is used, such as HMAC SHA256 or RSA SHA256. It is Base64Url encoded to form the first part of the JWT.
What is the best JWT signing method? ›
When signing is considered, elliptic curve-based algorithms are considered more secure. The option with the best security and performance is EdDSA, though ES256 (The Elliptic Curve Digital Signature Algorithm (ECDSA) using P-256 and SHA-256) is also a good choice.
Is JWT the most secure? ›
Advantages of JWT
Security: JWTs are digitally signed, ensuring data integrity and preventing tampering. Using encryption algorithms enhances the security further. Cross-Domain Communication: JWTs can be used across different domains or microservices since they don't rely on cookies or server-side sessions.
Which is the best JWT encryption algorithm? ›
JWTs are most commonly signed using one of two algorithms: HS256 (HMAC using SHA256), and RS256 (RSA using SHA256).
What is the difference between JWT and passport? ›
Passport is Authentication Middleware for Node. JS, it is not for any specific method of authentication, the method for authentication like OAuth, JWT is implemented in Passport by Strategy pattern, so it means that you can swap the authentication mechanism without affecting other parts of your application.
By: Mike Vizard on Leave a Comment 
