How Login Authentication Evolved: From Cookies to Tokens and One‑Click Solutions

Introduction

Rapid growth of the Internet, IoT, and mobile devices has created new challenges for login authentication. Although authentication is a long‑standing component of information systems, its future remains promising. Modern authentication now spans cookies, sessions, multi‑factor tokens, API keys, and increasingly seamless methods for PCs, mobile devices, and smart hardware.

Historical Development of Login Authentication

1.1 Monolithic Application Period

Early systems focused on rapid business implementation and used simple username/password login with user data returned after authentication. The interaction flow typically stored user information in cookies, exposing security risks even with HttpOnly, Secure, and SameSite flags.

1.2 Token Verification Mechanism

To improve security, token mechanisms generate an encrypted token on successful login, returning it to the client. Subsequent requests carry the token, avoiding exposure of user credentials.

1.3 Unified Account Center for Multiple Services

As business lines proliferated, a centralized account center was built to serve over 100 Baidu products (APP, Cloud, Maps, Tieba, etc.). This decoupled the account module from other services, improving maintainability, extensibility, and flexibility.

1.4 External OAuth Authorization

With the rise of third‑party collaborations, Baidu adopted OAuth 2.0 for external service access. OAuth defines four grant types—authorization code, implicit, resource‑owner password credentials, and client credentials. The authorization‑code flow, the most secure, involves a backend server exchanging a code for an access token.

1.5 Unified Login with Distributed Authentication (sub_token)

To isolate security risks across product lines, Baidu introduced a sub_token layered on the unified token. Sub_tokens enable security isolation, fine‑grained permission control, rapid risk response, and reduced impact of token leakage.

Security Isolation: Compromise of a sub_token affects only its specific product line.

Fine‑Grained Control: Each sub_token can have distinct scopes and lifetimes.

Rapid Risk Mitigation: Revoking a sub_token instantly cuts off access for the affected line.

Convenient Login Solutions

2.1 Carrier Mobile Number One‑Click Login

Users can log in using their mobile number as a credential. The system verifies the SIM card with the carrier, eliminating the need for passwords. The typical flow includes a carrier request, SIM validation, and token issuance.

2.2 Trusted Device Historical Login

Historical account login allows a user to log in with a single click by reusing previously stored credentials. The system validates the stored account information and may combine it with additional security checks such as facial recognition or multi‑factor authentication.

2.3 Face Verification Login

Face verification uses a captured facial image to authenticate the user. The process involves two core steps: (1) determining which account to issue after successful verification, and (2) collecting the user's facial template. Enterprises must support both optional face‑template enrollment and, for high‑security scenarios, real‑name verification against a government database.

Outlook

Future enterprise login systems will combine AI‑driven behavior analysis, privacy‑preserving data handling, and emerging standards such as CTID (Citizen Identity Recognition) to provide seamless, secure, and personalized experiences across desktop, mobile, and IoT devices.