This answer differs based on how secure something needs to be. One of the facts in the security world is the more secure something is, the more of a pain it is for the user. Meaning, the idea is to match the level of security to whatever it is you’re trying to secure. So on one end of the spectrum, it could be as simple as a username and password. Maybe we don’t even enforce password complexity or rotation because the level of security that is needed doesn’t warrant doing anything more. But then as you increase the needed level of security, we start adding other things in like password length and complexity enforcement, two-factor authentication using text messaging with a code (like most banking apps), or authentication by push notification (where you have an app on your phone and we’re sending a push notification to that app and then the app will use biometrics (fingerprint, face recognition, whatever) or another local method on the smartphone to authenticate that it’s really you.
The same is true for third-party APIs that could be anything as simple as a secret token to something as complex as an X.509 security certificate, or methods where we exchange keys separately and then we generate a unique token for every new request. It can be made super secure, but the more secure it is, the more of a pain it is for the third party, so appropriate balance is important here, too.All FAQs