What is it?
Basic Access Authentication is used by web browsers to allow users to login using HTTP (HyperText Transfer Protocol) with a username and password. This is done by combining username and password separated by a colon and then encoding the result in base 64 (printable characters).
By default, the username and password are not encrypted.
The server receives the username and password in the headers of each web page request (including all images, javascript and cascading stylesheet requests), looks up the username and compares the password before processing the request.
By default, HTTP uses port 80, 8008 or 8080.
Why is it a risk?
This process creates two distinct risks:
Un-encrypted usernames and passwords can be easily intercepted and then reused by an attacker.
Because each web request requires separate authentication, basic authentication is inefficient; an attacker could create a DOS (Denial of Service) attack by flooding the server with page requests.
Basic Authentication is very easy to set up so it is useful during web site development but it is considered unsafe for Internet facing web sites.
How can you mitigate the risk?
Changing your web server (Apache and Nginx are two common ones) configuration to use only HTTPS (HyperText Transport Protocol Secure) instead of HTTP will make the usernames and passwords much more difficult to intercept. This effectively mitigates the first risk.
It’s worth mentioning here that HTTPS can be set up to use either SSL (Secure Sockets Layer) or the more robust (and strongly recommended) TLS (Transport Layer Security).
Token Based Authentication provides a more efficient alternative that is also considered secure; the most popular implementation of Token Based Authentication is OAuth (Open Authentication) v2.0.
Most web site development environments provide an implementation of OAuth or some other Token Based Authentication method.
The Nordic APIs link below clearly describes the available HTTP(s) authentication options and their pros and cons.
The OAuth 2.0 Simplified link below provide an exhaustive explanation of how OAuth works, including specifics about some popular implementations.
Finally, the OAuth 2.0 Code link provides further links to OAuth 2.0 libraries in a variety of programming languages.
Resources:
The Difference Between HTTP Auth, API Keys, and OAuth
https://nordicapis.com/the-difference-between-http-auth-api-keys-and-oauth/
OAuth 2.0 Simplified
OAuth 2.0 Code
