Authentication refers to the process of identifying an individual, usually based on a username, password, and some type of additional verification. Authentication confirms that an individual is who they claim to be, which prevents unauthorized access to a program, system, network, or device, but does not affect the access rights of the individual. In security systems, authentication is a distinct form of authorization, the process of admitting individuals to system objects based on their identity.
In this definition...
How is authentication used?
Authentication is used in computer security and user access management systems. This identification process verifies a user’s identity, usually through something they know (such as a password), something they have (such as an ID card or USB token), or something they are (via biometrics).
By verifying a user’s identity, authentication verifies that they have the authorization to access resources and services. The most common form of authentication today is the combination of username and password.
What are the categories of authentication?
There are five main categories of authentication, which each use different ways to confirm identity.
- Knowledge-based authentication verifies identity by requiring users to answer questions they should know or recall.
- Behavioral-based authentication uses data about how users interact with machines to determine their identities. Behavior factor makes use of recorded and analyzed behavior patterns to determine identity.
- Possession factor requires an individual to have a specific piece of information or device (such as a token, ID card, or smartcard) to access a system.
- Inherence factor, sometimes called biometric factors or physical attributes, uses physiological characteristics of an individual such as their voice, fingerprint, palm, or face to verify identity.
- Location factor relies on geolocation security checks to verify a user’s location.
What are authentication layers?
Authentication typically consists of one of the following variables or some combination:
- Knowledge: something you know, which is generally an email address, ID number, or username and password, although it can also include custom security questions and CAPTCHA verification
- Possession: something you have, which could be an email verification link, one-time password (OTP), identification badge, keycard, or browser cookie
- Inherence: something you are, including biometrics such as retinal scans, fingerprints, voice recognition, or facial recognition
Any combination of these variables creates a multi-factor authentication process, which sometimes requires user participation but can also be done discreetly, as in the case of cookie authentication. Authentication occurs most times a user attempts to access a program, network, device, etc., except in the case of guest access and automatic login.
Basic authentication compares a variable from the user with what s stored in the system being accessed. In the case of username and password, for example, the credentials a user enters at login will be cross referenced with a database of stored usernames and corresponding passwords. If both credentials match, the user will be granted access. If one or both credentials are invalid, an error message will be returned (although different scenarios may return different messages). In particularly sensitive or high-risk login situations, too many unsuccessful authentication attempts may cause account lockout, where a user must take extra steps to authenticate their identity.
What are the major kinds of authentication?
There are multiple authentication methods that users can use to secure their data. Here are some of them:
Single-factor authentication (SFA), also known as password-based authentication, is the simplest form of authentication, requiring only one type of credential to verify a user’s identity. A common example of single-factor authentication is entering a username and password when logging into a website or application.
This method is considered a single factor because it relies on just one piece of information (the password) to authenticate an individual’s identity. The security of such systems depends on how difficult it is for a third party (who does not know a user password) to guess what it might be.
Two-factor authentication (2FA) is a security method that requires two different ways to prove a user’s identity. In other words, a user needs more than just a password to access their account. In addition to entering their password, they also have to provide another piece of information that is only known to them.
So if a bad actor were to steal a user’s password, they still wouldn’t be able to log in unless they had access to something else, like an authenticator app or device, that only a user possesses.
Common types of 2FA include:
- Hardware tokens for 2FA
- SMS text-message 2FA
- Software Tokens for 2FA
- Voice-based 2FA
Multi-factor authentication (MFA) offers an additional layer of security to the sign-in process. This type of authentication requires two or more different ways to verify a user’s identity. The most common form of MFA is something you know (like a password), something you have (like a token), and something you are (like biometrics) to access an account or resource.
In addition, multi-factor authentication provides an extra layer of protection for sensitive accounts. This way, even if an attacker obtains an individual’s password, they won’t be able to get into the user’s account without having physical access to their phone or other devices, which acts as the second factor in the authentication process.
The most common form of multi-factor authentication is the combination of a one-time password (OTP) token that generates passwords for users and sends them via text message or email in conjunction with single-factor options like passwords and PINs and location or behavior-based information to verify the user’s identity.
Single Sign-On (SSO) Authentication
SSO authentication allows users to authenticate and access multiple applications without re-entering credentials. SSO is a type of federated identity, which means that it uses central identity providers (CIPs) to authenticate users. The CIP authenticates users on behalf of each resource they want to access. SSO protocols are built on top of existing standards like OAuth 2.0 and SAML 2.0, which allow systems to communicate with one another securely.
However, some users may find it inconvenient to remember so many passwords. In addition, if any of these passwords are compromised, they could compromise all accounts on a network with SSO authentication.
With a passwordless authentication system, users don’t have to enter a code or passphrase to log in. Instead, they can use biometric measures (fingerprints, face scans) or digital means (tokens or cookies) to gain access.
These systems require minimal effort on the user’s part and offer more privacy than other authentication methods. They also tend to be more secure than traditional methods since they don’t require a password. Instead, users can be authenticated using mobile devices, fingerprints, and retina scans.
In a certificate-based authentication system, users authenticate themselves with a digital certificate. The system then authenticates the user’s identities by checking that their digital certificate is legitimate and valid.
A digital certificate is a signed document issued by a trusted entity vouching for user identity. SSL/TLS certificates are examples of digital certificates used in online commerce every day to ensure secure communication between websites and browsers. After verifying information about entities requesting them, certificate authorities (CAs) issue digital certificates. In other words, they confirm that users who request digital certificates are who they say they are.
Certificate-based authentication is generally considered preferable to password-based authentication because it is based on what the user has, the private key, as well as what the user knows, the password that protects the private key.
However, certificate-based authentication requires more infrastructure than password-based authentication. It requires an X.509 certificate authority (CA) and a public/private key infrastructure (PKI). The CA issues digital certificates to users, who then use their digital certificates and passwords to authenticate themselves when they log in.
What is the most commonly used authentication method?
Password-based authentication, the most commonly used authentication method, requires a user to enter a username and password to access a system. Access is granted if both values match those stored in an internal database.
Passwords should not be difficult to remember, but they need to be sufficiently complex to prevent unauthorized users from accessing sensitive data or modifying critical company information.
Pros of Password-Based Authentication
Password-based authentication offers the following advantages:
- Password-based authentication does not need any extra hardware, which makes it easy to deploy and manage across multiple devices, including laptops, desktops, etc.
- It can easily integrate with other authentication methods such as 2FA and MFA.
- It is less time-consuming, and the user does not need any vast technical skills to set up a password.
- Password-based authentication is easy, as users only have to clear one process, and users can also change their password at any time.
Cons of Password-Based Authentication
Unfortunately, there are many problems with using passwords as a means of authentication.
- Users tend to choose weak passwords that can be easily guessed or cracked by brute force methods like dictionary attacks or rainbow tables.
- Users tend to use the same password for multiple systems, making it easier for attackers who access one account (through phishing or cracking) to compromise others.
- Even if strong passwords are used and unique passwords are generated for each account, there is still a chance that a bad actor could guess a user’s password through social engineering.
- Password-based authentication often relies on a single factor, meaning that once compromised, all accounts are compromised.
- Users can be reluctant to use password managers, though use of one of the secure, easy-to-use platforms makes a significant difference is creating and spring strong passwords.
What is the difference between authorization and authentication?
Both authorization and authentication describe methods that ensure individuals are who they say they are before allowing them access to certain things or places. In computing, authentication is commonly referred to as how entities prove their identity to one another to prevent security problems. While authorization is concerned with access rights and what a user can do.
Authorization’s usually used as a means of controlling access to resources in an information system. It involves checking an entity’s identity and determining whether that entity has permission to operate on a resource. This process is typically handled by authorization systems, which check credentials against pre-established rules.
What are some emerging trends in authentication?
Many new trends have emerged, with many built on traditional models like passwords. Biometrics are gaining popularity, with fingerprint readers and retina scanners serving as easy ways to authenticate one’s identity without worrying about a lost or stolen password. Other emerging authentication methods include:
- Geolocation: This form of authentication relies on technology that identifies a user’s location in real-time.
- Palm Vein Pattern Authentication: To build on fingerprint authentication, researchers have developed palm vein pattern authentication, which uses unique vein patterns on each person’s hand to identify them.
- Time-Based One-Time Password (TOTP): Apps use TOTP to verify users’ identities by generating codes based on phone numbers, locations, or other details. The code changes every 30 seconds, so even if someone stole it, they wouldn’t be able to use it later.
- Voice Recognition Security System: Voice biometrics authentication uses patterns unique to a user’s voice and speech for authentication.
This article was reviewed and updated in April 2022 by Aminu Abdullahi.