Design and Analysis of a Token‑Based Identity Authentication System

In information systems with account structures, identity verification is crucial. With the rise of mobile internet, multiple client types lead to a server‑N‑client model, each with distinct security threats, session lifecycles, permission systems, and interface call methods.

2. Usage Scenarios

Common IT service scenarios include web‑browser login, Android/iOS app login, open‑API login, PC‑to‑mobile QR code authorization, and mobile‑to‑PC QR code authorization.

3. Token Categories

Tokens are classified into raw username/password (or app_id/app_key), session IDs (browser, mobile, API), and interface call tokens (access token, authorization token, cross‑platform token).

4. Token Attributes Comparison

Tokens are evaluated on natural attributes (usage cost, change cost, environmental risk) and controllable attributes (usage frequency, validity period). Security goals are to minimize theft risk and limit impact of compromised tokens.

4.1 Account/Password

Traditional credentials have high significance, low change frequency, and severe consequences if leaked.

4.2 Client Session Token

Acts as a session; web tokens have short lifespan due to public environments, while mobile tokens live longer but are harder to input.

4.3 Access Token

Used by server‑side APIs; obtained from long‑lived session tokens, should have short validity to reduce damage.

Note: Adding an access_token under a client token provides a unified authentication method for API calls.

4.4 pam_token

QR‑code based token generated by an authenticated PC for mobile scanning; short‑lived (2 minutes) and deleted after use.

Lifetime: 2 minutes, then expired. Refreshes every minute when unused. Deleted immediately after use.

4.5 map_token

Mobile‑initiated QR‑code token that links an anonymous PC token to a user, then yields a web token and access token; also short‑lived.

Lifetime: 2 minutes, then expired. Refreshes every minute when unused. Deleted immediately after use.

5. Summary and Outlook

The proposed token‑based authentication framework addresses token classification, privacy parameter settings, usage scenarios, and hierarchical conversion across lifecycles, applicable to login, time‑limited coupons, invitation codes, QR‑code authorizations, multi‑platform API access, and unified identity centers.