Form-based authentication


Form-based authentication is a term of art in the context of Web- and Internet-based online networked computer systems. In general, it refers to the notion of a user being presented with an editable "form" to fill in and submit in order to log into some system or service. However, the term is actually ambiguous in that the notion of using some sort of displayed "form" in which one enters credential information is a technique that is not unique to the Web.
As the term is often used, it strongly implies default employment of HTTP and HTML as part of the technique. This particular technique is specifically discussed in the article HTTP+HTML form-based authentication.
A defining characteristic of the general notion of form-based authentication, as it is commonly used, is that the credential prompting and subsequent credential conveyance is conducted out-of-band relative to the transfer protocol employed between the client and server. For example, in the case of HTTP+HTML form-based authentication, the authentication features built into HTTP itself are not used. Rather, the prompting information, e.g., "username: " and "password: ", are conveyed, opaquely to HTTP itself, as just HTML or XHTML <FORM> data. Similarly, the submitted credentials are conveyed simply as part of submitted <FORM> data.
Note that in the case of the common "login prompt" one sees when using telnet to access another computer system, the former general notion applies. I.e., it is another instance of "form-based authentication".
Further characteristics and implications of the general notion of form-based authentication, as the term is commonly employed, are that it is inherently ad hoc and not standardized, the client does not authenticate the server unless extra means are employed, the client typically is not made explicitly aware of the authentication mechanism being employed by the server nor the level of assurance that the authentication mechanism features.