In computing, authentication is the process of verifying the identity of a person or device. A typical example is entering a username and password when you log in to a website. Entering the correct login information lets the website know 1) who you are and 2) that you are accessing the website.
While a username/password combination is a common way to authenticate your identity, many other types of authentication exist. For example, you might use a four or six-digit passcode to unlock your phone. A single password may be required to log on to your laptop or work computer.
Every time you check or send an email, the mail server verifies your identity by matching your email address with the correct password. This information is often saved by your web browser or email program, so you do not have to enter it each time.
Biometrics may also be used for authentication. For example, many smartphones have a fingerprint sensor that allows you to unlock your phone with a simple tap of your thumb or finger.
Some facilities have retinal scanners, which require an eye scan to allow authorised individuals to access secure areas. Apple's Face ID (introduced with the iPhone X) authenticates users by facial recognition.
Authentication is the process of determining whether someone or something is who or what it declares itself to be. Authentication technology provides access control for systems by checking if a user's credentials match the credentials in a database of authorised users or a data authentication server.
Authentication is a term that refers to the process of proving that some fact or some document is genuine. In computer science, this term is typically associated with verifying a user’s identity.
Usually, a user proves their identity by providing their credentials, that is, an agreed piece of information shared between the user and the system.
Authentication is a part of everyday life in the digital age. While it helps keep your personal information private, it is not foolproof. For example, if someone knows your email address, they could access your account by simply guessing your password. This is why it is essential to use unique, hard-to-guess passwords, especially for your email accounts. It is also a good idea to use two-factor authentication when available, as this provides an extra security check when accessing your account.
Two-factor authentication (also "2FA") typically requires a correct login plus another verification check. For example, if you enable 2FA for your online bank account, you may be required to enter a temporary code sent to your phone or email address to complete the login process. This ensures that only you (or someone with access to your phone or email account) can access your account, even after entering the correct login information.
Authentication In Cybersecurity
Authentication is essential because it enables organisations to keep their networks secure by permitting only authenticated users (or processes) to access its protected resources, including computer systems, networks, databases, websites and other network-based applications or services.
Once authenticated, a user or process is usually subjected to an authorisation process to determine whether the established entity should be permitted access to a protected resource or system. A user could be authenticated but fail to access a resource if that user was not granted permission to access it.
The terms authentication and authorisation are often used interchangeably; while they may often be implemented together, the two functions are distinct. While authentication is the process of validating the identity of a registered user before allowing access to the protected resource, authorisation is the process of validating that the authenticated user has been granted permission to access the requested resources. The process by which access to those resources is restricted to a certain number of users is called access control. The authentication process always comes before the authorisation process.
How Authentication Is Used
User authentication occurs within most human-to-computer interactions outside of guest accounts, automatically logged-in accounts and kiosk computer systems. Generally, a user has to choose a username or user ID and provide a valid password to begin using a system. User authentication authorises human-to-machine interactions in operating systems and applications, as well as both wired and wireless networks to enable access to networked and internet-connected systems, applications and resources.
Many companies use authentication to validate users who log into their websites. Without the proper security measures, user data, such as credit and debit card numbers, as well as Social Security numbers, could get into the hands of cybercriminals.
Organisations also use authentication to control which users have access to corporate networks and resources, as well as to identify and control which machines and servers have access. Companies also use authentication to enable remote employees to access their applications and networks securely.
For enterprises and other large organisations, authentication may be accomplished using a single sign-on (SSO) system, which allows multiple systems with a single set of login credentials.
How Authentication Works
During authentication, credentials provided by the user are compared to those on file in a database of authorised users' information either on the local operating system or through an authentication server. If the credentials match and the authenticated entity is authorised to use the resource, the process is completed, and the user is granted access. The permissions and folders returned define both the environment the user sees and how he can interact with it, including hours of access and other rights such as the amount of resource storage space.
Traditionally, authentication was accomplished by the systems or resources accessed; for example, a server would authenticate users using its password system, implemented locally, using login IDs (user names) and passwords. Knowledge of the login credentials is assumed to guarantee that the user is authentic. Each user registers initially (or is written by someone else, such as a systems administrator) using an assigned or self-declared password.
On each subsequent use, the user must know and use the previously declared password.
However, the web's application protocols, HTTP and HTTPS, are stateless, meaning that strict authentication would require end-users to re-authenticate each time they access a resource using HTTPS. Rather than burden end-users with that process for each interaction over the web, protected systems often rely on token-based authentication. Authentication is performed once at the start of a session. The authenticating system issues a signed authentication token to the end-user application, and that token is appended to every request from the client.
Entity authentication for systems and processes can be carried out using machine credentials that work like a user's ID and password, except the credentials, are submitted automatically by the device in question. They may also use digital certificates issued and verified by a certificate authority as part of a critical public infrastructure to authenticate an identity while exchanging information over the internet.
Authenticating a user with a user ID and a password is usually considered the most basic type of authentication. It depends on the user knowing two pieces of information: the user ID or username and the password. Since this type of authentication relies on just one authentication factor, it is a type of single-factor authentication.
Strong authentication is a term that has not been formally defined but usually is used to mean that the type of authentication being used is more reliable and resistant to attack; achieving that is generally acknowledged to require using at least two different types of authentication factors.
An authentication factor represents some piece of data or attribute that can authenticate a user requesting access to a system. An old security adage has it that authentication factors can be "something you know, something you have or something you are." These three factors correspond to the knowledge factor, the possession factor and the inherence factor. Additional factors have been proposed and put into use in recent years, with location serving in many cases as the fourth factor and time serving as the fifth factor.
Currently used authentication factors include:
- Knowledge factor: "Something you know." The knowledge factor may be any authentication credentials that consist of information that the user possesses, including a personal identification number (PIN), a user name, a password or the answer to a secret question.
- Possession factor: "Something you have." The possession factor may be any credential based on items that the user can own and carry with them, including hardware devices like a security token or a mobile phone used to accept a text message or run an authentication app that can generate a one-time password or PIN.
- Inherence factor: "Something you are." The inherence factor is typically based on some form of biometric identification, including finger or thumbprints, facial recognition, retina scan or any other form of biometric data.
- Location factor: "Where you are." While it may be less specific, the location factor is sometimes an adjunct to the other elements. Location can be determined to reasonable accuracy by devices equipped with GPS or with less accuracy by checking network routes. The location factor cannot usually stand on its own for authentication, but it can supplement the other elements by providing a means of ruling out some requests. For example, it can prevent an attacker located in a remote geographical area from posing as a user who logs typically in only from home or office in the organisation's home country.
- Time factor: "When you are authenticating." Like the location factor, the time factor is not sufficient on its own. Still, it can be a supplemental mechanism for weeding out attackers who attempt to access a resource when that resource is not available to the authorised user. It may also be used together with location. For example, if the user were last authenticated, an attempt to show from Asia one hour later would be rejected based on the combination of time and location.
Despite being used as additional authentication factors, user location and current time by themselves are not sufficient, without at least one of the first three factors, to authenticate a user. However, the ubiquity of smartphones is helping to ease the burdens of multifactor authentication for many users. Most smartphones are equipped with GPS, enabling reasonable confidence in confirmation of the login location; smartphone MAC addresses may also be used to help authenticate a remote user, even though MAC addresses are relatively easy to spoof.
Authentication With Username And Password
Username and password combination is the most popular authentication mechanism, and it is also known as password authentication.
A well-known example is accessing a user account on a website or a service provider such as Facebook or Gmail. Before you can access your account, you must prove you own the correct login credentials. Services typically present a screen that asks for a username along with a password. Then, they compare the data inserted by the user with the values previously stored in an internal repository.
If you enter a valid combination of these credentials, the service provider will allow you to continue and will give you access to your account.
While the username may be public, like, for example, an email address, the password must be confidential. Due to its confidentiality, passwords must be protected from theft by cybercriminals. Although usernames and passwords are widely used on the internet, they are notorious for being a weak security mechanism that hackers exploit regularly.
The first way to protect them is by enforcing password strength, that is, a level of complexity so that malicious attackers cannot easily guess them. As a rule of thumb, a complex combination of lowercase and uppercase letters, numbers, and special characters results in a strong password. Otherwise, a poor mix of righteousness leads to a weak password.
End users notoriously tend to use weak passwords. In an annual report from SplashData, an internet security firm, they identified the 25 most common passwords. The list, based on millions of passwords exposed by data breaches, shows that millions of users rely on passwords like "123456" and "password" to authenticate.
It is a matter of usability since weak passwords are usually easier to remember. In addition, they often reuse the same password with different websites or services.
The combination of these situations may lead to security issues since weak passwords are easy to guess, and the leaked password can be used to access multiple services for the same user.
On the other hand, strong passwords used for authenticating can withstand brute force attacks but are useless against attacks like phishing and keylogger software or password stuffing.
These attacks don’t try to guess the user’s password but steal it directly from the user.
Passwords are also an issue when not securely stored. For example, in a recent news report, Facebook was shown to have accumulated millions of Instagram passwords in plain text. Passwords should always be stored using best practices, such as hashing.
Types Of Authentication Methods
Traditional authentication depends on using a password file, in which user IDs are stored together with hashes of the passwords associated with each user. When logging in, the password submitted by the user is hashed and compared to the value in the password file. If the two hashes match, the user is authenticated.
This approach to authentication has several drawbacks, particularly for resources deployed across different systems. For one thing, attackers who can access the password file for a system can use brute force attacks against the hashed passwords to extract the passwords. For another, this approach would require multiple authentications for modern applications that access resources across multiple systems.
Password-based authentication weaknesses can be addressed to some extent with smarter usernames and password rules like minimum length and stipulations for complexity, such as including capitals and symbols. However, password-based authentication and knowledge-based authentication are more vulnerable than systems that require multiple independent methods.
Other authentication methods include:
- Two-factor authentication -- Two-factor authentication adds an extra layer of protection to the process of authentication. 2FA requires that a user provide a second authentication factor in addition to the password. 2FA systems often require users to enter a verification code received via text message on a pre-registered mobile phone or a code generated by an authentication application.
- Multi-Factor authentication -- Multi-Factor authentication requires users to authenticate with more than one authentication factor, including a biometric factor like fingerprint or facial recognition, a possession factor like a security key fob or a token generated by an authenticator app.
- One-time password -- A one-time password automatically generates a numeric or alphanumeric string of characters that authenticates a user. This password is only valid for one login session or transaction and is usually used for new users or users who lost their passwords and are given a one-time password to log in and change to a new password.
- Three-factor authentication -- Three-factor authentication (3FA) is a type of MFA that uses three authentication factors, usually a knowledge factor (password) combined with a possession factor (security token) and the inherence factor (biometric).
- Biometrics -- While some authentication systems can depend solely on biometric identification, biometrics are usually used as a second or third authentication factor. The more common types of biometric authentication available include fingerprint scans, facial or retina scans and voice recognition.
- Mobile authentication -- Mobile authentication is the process of verifying users via their devices or verifying the devices themselves. This lets users log into secure locations and resources from anywhere. The mobile authentication process involves multi-factor authentication that can include one-time passwords, biometric authentication or QR code validation.
- Continuous authentication -- With constant authentication, instead of a user being either logged in or out, a company's application continually computes an "authentication score" that measures how sure it is that the account owner is the individual who's using the device.
- API authentication -- The standard methods of managing API authentication are HTTP basic authentication, API keys and OAuth.
- In HTTP basic authentication, the server requests authentication information, i.e., a username and password, from a client. The client then passes the authentication information to the server in an authorisation header.
- In the API critical authentication method, a first-time user is assigned a unique generated value that indicates that the user is known. Then each time the user tries to enter the system again, his unique key is used to verify that he is the same user who entered the system previously.
- Open Authorisation (OAuth) is an open standard for token-based authentication and authorisation on the internet. OAuth allows a user's account information to be used by third-party services, such as Facebook, without exposing the user's password. OAuth acts as an intermediary on behalf of the user, providing the service with an access token that authorises specific account information to be shared.