BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Authentication is the process of determining whether someone or something is, in fact, who or what it declares itself to be. Authentication technology provides access control for systems by checking to see if a user's credentials match the credentials in a database of authorized users or in a data authentication server.
Users are usually identified with a user ID, and authentication is accomplished when the user provides a credential, for example a password, that matches with that user ID. Most users are most familiar with using a password, which, as a piece of information that should be known only to the user, is called a knowledge authentication factor. Other authentication factors, and how they are used for two-factor or multifactor authentication (MFA), are described below.
Authentication in cybersecurity
Authentication is important because it enables organizations to keep their networks secure by permitting only authenticated users (or processes) to access its protected resources, which may include computer systems, networks, databases, websites and other network-based applications or services.
Once authenticated, a user or process is usually subjected to an authorization process as well, to determine whether the authenticated entity should be permitted access to a protected resource or system. A user can be authenticated but fail to be given access to a resource if that user was not granted permission to access it.
The terms authentication and authorization are often used interchangeably; while they may often be implemented together the two functions are distinct. While authentication is the process of validating the identity of a registered user before allowing access to the protected resource, authorization is the process of validating that the authenticated user has been granted permission to access the requested resources. The process by which access to those resources is restricted to a certain number of users is called access control. The authentication process always comes before the authorization process.
How authentication is used
User authentication occurs within most human-to-computer interactions outside of guest accounts, automatically logged-in accounts and kiosk computer systems. Generally, a user has to choose a username or user ID and provide a valid password to begin using a system. User authentication authorizes human-to-machine interactions in operating systems and applications, as well as both wired and wireless networks to enable access to networked and internet-connected systems, applications and resources.
Many companies use authentication to validate users who log into their websites. Without the right security measures, user data, such as credit and debit card numbers, as well as Social Security numbers, could get into the hands of cybercriminals.
Organizations also use authentication to control which users have access to corporate networks and resources, as well as to identify and control which machines and servers have access. Companies also use authentication to enable remote employees to securely access their applications and networks.
For enterprises and other large organizations, authentication may be accomplished using a single sign-on (SSO) system, which grants access to multiple systems with a single set of login credentials.
How authentication works
During authentication, credentials provided by the user are compared to those on file in a database of authorized users' information either on the local operating system or through an authentication server. If the credentials match, and the authenticated entity is authorized to use the resource, the process is completed and the user is granted access. The permissions and folders returned define both the environment the user sees and the way he can interact with it, including hours of access and other rights such as the amount of resource storage space.
Traditionally, authentication was accomplished by the systems or resources being accessed; for example, a server would authenticate users using its own password system, implemented locally, using login IDs (user names) and passwords. Knowledge of the login credentials is assumed to guarantee that the user is authentic. Each user registers initially (or is registered by someone else, such as a systems administrator), using an assigned or self-declared password. On each subsequent use, the user must know and use the previously declared password.
However, the web's application protocols, HTTP and HTTPS, are stateless, meaning that strict authentication would require end users reauthenticate each time they access a resource using HTTPS. Rather than burden end users with that process for each interaction over the web, protected systems often rely on token-based authentication, in which authentication is performed once at the start of a session. The authenticating system issues a signed authentication token to the end-user application, and that token is appended to every request from the client.
Entity authentication for systems and processes can be carried out using machine credentials that work like a user's ID and password, except the credentials are submitted automatically by the device in question. They may also use digital certificates that were issued and verified by a certificate authority as part of a public key infrastructure to authenticate an identity while exchanging information over the internet.
Authenticating a user with a user ID and a password is usually considered the most basic type of authentication, and it depends on the user knowing two pieces of information: the user ID or username, and the password. Since this type of authentication relies on just one authentication factor, it is a type of single-factor authentication.
Strong authentication is a term that has not been formally defined, but usually is used to mean that the type of authentication being used is more reliable and resistant to attack; achieving that is generally acknowledged to require using at least two different types of authentication factors.
An authentication factor represents some piece of data or attribute that can be used to authenticate a user requesting access to a system. An old security adage has it that authentication factors can be "something you know, something you have or something you are." These three factors correspond to the knowledge factor, the possession factor and the inherence factor. Additional factors have been proposed and put into use in recent years, with location serving in many cases as the fourth factor, and time serving as the fifth factor.
Currently used authentication factors include:
- Knowledge factor: "Something you know." The knowledge factor may be any authentication credentials that consist of information that the user possesses, including a personal identification number (PIN), a user name, a password or the answer to a secret question.
- Possession factor: "Something you have." The possession factor may be any credential based on items that the user can own and carry with them, including hardware devices like a security token or a mobile phone used to accept a text message or to run an authentication app that can generate a one-time password or PIN.
- Inherence factor: "Something you are." The inherence factor is typically based on some form of biometric identification, including finger or thumb prints, facial recognition, retina scan or any other form of biometric data.
- Location factor: "Where you are." While it may be less specific, the location factor is sometimes used as an adjunct to the other factors. Location can be determined to reasonable accuracy by devices equipped with GPS, or with less accuracy by checking network routes. The location factor cannot usually stand on its own for authentication, but it can supplement the other factors by providing a means of ruling out some requests. For example, it can prevent an attacker located in a remote geographical area from posing as a user who normally logs in only from home or office in the organization's home country.
- Time factor: "When you are authenticating." Like the location factor, the time factor is not sufficient on its own, but it can be a supplemental mechanism for weeding out attackers who attempt to access a resource at a time when that resource is not available to the authorized user. It may also be used together with location as well. For example, if the user was last authenticated at noon in the U.S., an attempt to authenticate from Asia one hour later would be rejected based on the combination of time and location.
Despite being used as supplemental authentication factors, user location and current time by themselves are not sufficient, without at least one of the first three factors, to authenticate a user. However, the ubiquity of smartphones is helping to ease the burdens of multifactor authentication for many users. Most smartphones are equipped with GPS, enabling reasonable confidence in confirmation of the login location; smartphone MAC addresses may also be used to help authenticate a remote user, despite the fact that MAC addresses are relatively easy to spoof.
Two-factor and multifactor authentication
Adding authentication factors to the authentication process typically improves security. Strong authentication usually refers to authentication that uses at least two factors, where those factors are of different types. The distinction is important; since both username and password can be considered types of knowledge factor, basic username and password authentication could be said to use two knowledge factors to authenticate -- however, that would not be considered a form of two-factor authentication (2FA). Likewise for authentication systems that rely on "security questions," which are also "something you know," to supplement user ID and passwords.
Two-factor authentication usually depends on the knowledge factor combined with either a biometric factor or a possession factor like a security token. Multifactor authentication can include any type of authentication that depends on two or more factors, but an authentication process that uses a password plus two different types of biometric would not be considered three-factor authentication, although if the process required a knowledge factor, a possession factor and an inherence factor, it would be. Systems that call for those three factors plus a geographic or time factor are considered examples of four-factor authentication.
Authentication and authorization
Authorization includes the process through which an administrator grants rights to authenticated users, as well as the process of checking user account permissions to verify that the user has been granted access to those resources. The privileges and preferences granted for the authorized account depend on the user's permissions, which are either stored locally or on the authentication server. The settings defined for all these environment variables are set by an administrator.
Systems and processes may also need to authorize their automated actions within a network. Online backup services, patching and updating systems and remote monitoring systems, such as those used in telemedicine and smart grid technologies, all need to securely authenticate before they can verify that it is the authorized system involved in any interaction and not a hacker.
Types of authentication methods
Traditional authentication depends on the use of a password file, in which user IDs are stored together with hashes of the passwords associated with each user. When logging in, the password submitted by the user is hashed and compared to the value in the password file. If the two hashes match, the user is authenticated.
This approach to authentication has several drawbacks, particularly for resources deployed across different systems. For one thing, attackers who are able to access to the password file for a system can use brute force attacks against the hashed passwords to extract the passwords. For another, this approach would require multiple authentications for modern applications that access resources across multiple systems.
Password-based authentication weaknesses can be addressed to some extent with smarter user names and password rules like minimum length and stipulations for complexity, such as including capitals and symbols. However, password-based authentication and knowledge-based authentication are more vulnerable than systems that require multiple independent methods.
Other authentication methods include:
- Two-factor authentication -- Two-factor authentication adds an extra layer of protection to the process of authentication. 2FA requires that a user provide a second authentication factor in addition to the password. 2FA systems often require the user to enter a verification code received via text message on a preregistered mobile phone, or a code generated by an authentication application.
- Multifactor authentication -- Multifactor authentication requires users to authenticate with more than one authentication factor, including a biometric factor like fingerprint or facial recognition, a possession factor like a security key fob or a token generated by an authenticator app.
- One-time password -- A one-time password is an automatically generated numeric or alphanumeric string of characters that authenticates a user. This password is only valid for one login session or transaction, and is usually used for new users, or for users who lost their passwords and are given a one-time password to log in and change to a new password.
- Three-factor authentication -- Three-factor authentication (3FA) is a type of MFA that uses three authentication factors, usually a knowledge factor (password) combined with a possession factor (security token) and inherence factor (biometric).
- Biometrics -- While some authentication systems can depend solely on biometric identification, biometrics are usually used as a second or third authentication factor. The more common types of biometric authentication available include fingerprint scans, facial or retina scans and voice recognition.
- Mobile authentication -- Mobile authentication is the process of verifying user via their devices or verifying the devices themselves. This lets users log into secure locations and resources from anywhere. The mobile authentication process involves multifactor authentication that can include one-time passwords, biometric authentication or QR code validation.
- Continuous authentication -- With continuous authentication, instead of a user being either logged in or out, a company's application continually computes an "authentication score" that measures how sure it is that the account owner is the individual who's using the device.
- API authentication -- The standard methods of managing API authentication are: HTTP basic authentication; API keys and OAuth.
- In HTTP basic authentication, the server requests authentication information, i.e., a username and password, from a client. The client then passes the authentication information to the server in an authorization header.
- In the API key authentication method, a first-time user is assigned a unique generated value that indicates that the user is known. Then each time the user tries to enter the system again, his unique key is used to verify that he is the same user who entered the system previously.
- Open Authorization (OAuth) is an open standard for token-based authentication and authorization on the internet. OAuth allows a user's account information to be used by third-party services, such as Facebook, without exposing the user's password. OAuth acts as an intermediary on behalf of the user, providing the service with an access token that authorizes specific account information to be shared.
User authentication vs. machine authentication
Machines also need to authorize their automated actions within a network. Online backup services, patching and updating systems and remote monitoring systems, such as those used in telemedicine and smart grid technologies, all need to securely authenticate to verify that it is the authorized system involved in any interaction and not a hacker.
Machine authentication can be carried out with machine credentials much like a user's ID and password only submitted by the device in question. They can also use digital certificates issued and verified by a certificate authority as part of a public key infrastructure to prove identification while exchanging information over the internet, like a type of digital password.
With the increasing number of internet-enabled devices, reliable machine authentication is crucial to enable secure communication for home automation and other internet of things applications, where almost any entity or object may be made addressable and able to exchange data over a network. It is important to realize that each access point is a potential intrusion point. Each networked device needs strong machine authentication and also, despite their normally limited activity, these devices must be configured for limited permissions access as well, to limit what can be done even if they are breached.
Authentication comes in all sizes and flavors, and security pros need to know as much about multifactor authentication as possible. Learn how to build a business case for MFA.
Be sure to read our comparison of popular MFA products as well as our in-depth profiles of Vasco IDENTIKEY Server v3.6 , Symantec Validation and ID Protection Service , SafeNet Authentication Service, Dell Defender and SecureAuth idP v8.0.