Authentication is a foundational technology for cybersecurity programs. Understanding what it is and is not reinforces its importance. This article provides an in-depth review of how authentication is used, as well as the many types and components of authentication. It also explains the relationship between authentication and authorization, which, contrary to many misrepresentations, are not the same.
Definition of authentication
Authentication verifies the identity of a user (i.e., human or digital), process, or device, often as a prerequisite for allowing interaction with IT resources. An access control tool, authentication is also used to protect communication systems against acceptance of fraudulent transmissions by establishing the validity of a transmission, message, or originator, as well as verifying an individual’s eligibility to receive specific categories of information. In addition, authentication can be used to ensure the source and integrity of stored or transmitted data.
A brief history of authentication
In 1961, Fernando Corbató, a researcher at the Massachusetts Institute of Technology (MIT), created a password program. Considered the first digital authentication system, it was developed to manage access to files stored on the university’s mainframe and how long users could work on the system. This was a rudimentary authentication system with passwords stored in a plaintext file within the filesystem.
In 1972, Robert Morris, a cryptographer at Bell Labs, developed a password encryption method known as a hashing function. The calculations used to create the numeric version of a password are simple to compute, but difficult to reverse. To improve this authentication method, Morris partnered with his colleague Ken Thompson and created salting, which adds random strings to a stored password so that it will be even harder to break.
The 1970s also saw the development of another type of authentication created by UK government employees James Ellis, Clifford Cocks, and Malcolm J. Williamson. It was based on asymmetric cryptography using two keys—one public and one private. The public key can be shared with anyone to prove a user’s identity, and a private key for digital signing is used to verify their identity. It is important to note that asymmetric cryptography was not available until the 1990s, as it was kept secret until 1997.
By the 1980s, traditional passwords became unreliable forms of authentication as technology and cybercriminals’ capabilities advanced. To address the shortcomings of traditional passwords, dynamic passwords were introduced.
Referred to as one-time passwords (OTP), this form of authentication randomly generates unpredictable passwords that only systems can recognize as correct. Two types of OTPs were introduced:
- HOTP (hash-based one-time password) or HMAC (hash-based message authentication code)
- TOTP (time-based one-time password)
When asymmetric cryptography was made public in 1997, a public key infrastructure (PKI) standard was developed. PKI defines how to create, store, and send digital certificates, which are a combination of a public key certificate signed with a private key verifying identity.
PKI authentication is supported by:
- Central directory for key storage
- Certificate authority that issues and signs digital certificates
- Certificate management system to handle operational activities, such as access to stored certificates
- Certificate policy that addresses all aspects associated with the generation, production, distribution, accounting, compromise recovery, and administration of digital certificates
- Registration authority that verifies the identity of users submitting the digital certificate request
(Note: More information about these is available in the Types of Authentication section below.)
2010s and 2020s authentication
The past two decades have seen a significant increase in the commercial use of biometric and behavioral authentication, which was largely limited to government use due to the complexity and computing power required. Advances in artificial intelligence (AI), machine learning (ML), and advanced computing capabilities fueled the growth of these types of authentication.
The importance of authentication
There are many reasons that authentication is essential, and that organizations should prioritize implementing robust authentication systems. Authentication enables organizations to keep their networks secure by permitting only authenticated users or processes to gain access to IT resources, delivering many benefits, including:
- Minimizes data breaches
- Protects sensitive data
- Provides an extra layer of security beyond organization-wide systems
- Reduces risk
- Supports compliance efforts and audits
Authentication use cases
Authentication can be used in a number of ways, including the following use cases.
- Application authentication—to control access to applications
- Cloud services and SaaS authentication—to control access to cloud-based applications and resources
- Device authentication—to control access to devices (e.g., computer, Internet of Things (IoT), and mobile)
- Network authentication—to control access to networks, including local area networks (LANs), wide area networks (WANs), and the Internet
- Virtual desktop infrastructure (VDI) —to control access to virtualized environments
How authentication works
The authentication process varies by use case, but the following is a high-level review of how authentication works.
Administrators help users set up a username and password. Many organizations also set up multi-factor authentication components (e.g., registering their mobile phone and biometrics).
The user requests access to an IT resource and is prompted to provide authentication factors.
The authentication factors are checked by backend systems.
If the authentication factors are validated, the user is granted access. If not, they are denied access and can be denied the right to attempt to access the IT resource until they can be validated by other means, such as answering a series of security questions.
Most authentication systems maintain a log of users’ access to facilitate root cause analysis in the event of a security incident and to support compliance audits.
An authentication factor is a data point or attribute used to verify the identity of a user requesting access to an IT resource.
Three Primary Authentication Factors
- Knowledge factor or something a user knows
A knowledge factor includes authentication credentials that consist of information that only a user should know, such as:
- Answer to a secret question
- Personal identification number (PIN)
- Possession factor or something a user has
A possession factor includes authentication credentials based on hardware devices that the user can own and have with them to run an authentication application that can receive a PIN or OTP, or use to tap in for access, such as a:
- Mobile phone
- Security token
- Access card
- Key fob
- Inherence factor
An inference factor includes authentication credentials based on some form of biometric identification, such as:
- Facial recognition
- Iris scans
- Voice patterns
Secondary Authentication Factors
Primary authentication factors can be complemented with secondary authentication factors. These supplemental authentication factors include the following.
- Location factor
While location cannot be used on its own for authentication, it can be used to bolster the verification process when primary authentication factors are used. Global positioning system (GPS) data and internet protocol (IP) addresses can be used to verify a user’s location and determine if it aligns with their profile.
- Time factor
As with the location factor, the time factor cannot be used alone for authentication, but can complement primary authentication factors. Time factors can include when a resource is authorized for access by a user or a user’s normal access times.
Types of authentication
Application programming interfaces (APIs) allow applications to exchange services and data. Before exchanges can be allowed, application authentication must be completed. The most common application authentication methods are API keys, Hypertext Transfer Protocol (HTTP) basic authentication, and Open authorization (OAuth).
Behavioral authentication uses individuals’ dynamic actions as a method of identity verification. Artificial intelligence (AI) and machine learning (ML) are employed to recognize unique patterns in immutable behavioral characteristics, such as:
- Gait recognition, which analyzes the way a user walks
- Keystroke dynamics, which analyzes typing speed and patterns
- Mouse biometrics, which analyzes the way a user interacts with their mouse
Biometric authentication uses the physical features of an individual to verify their identity. Types of biometric authentication include:
- DNA matching
- Ear shape recognition
- Facial recognition
- Fingerprint recognition
- Hand geometry recognition
- Iris recognition
- Retina recognition
- Signature recognition
- Vein pattern recognition
- Voice recognition
Certificate-based authentication (CBA) verifies the identity of users, devices, and machines with a digital or public-key certificate.
Continuous authentication tracks users’ behavior and other data points throughout their online session. With this authentication method, scores are continually tallied to ensure that the user matches the authenticated identity.
The user must re-authenticate if a continuous authentication is out of line with the approved threshold. Continuous authentication data points include:
- Behavioral characteristics
- Browser activity
- GPS data
- IP addresses
- Mouse movements
- Time of access
- Typing speed and patterns
Authentication is required for machines to perform automated actions within a network. Machine authentication can be done with primary credentials or digital certificates.
Mobile authentication verifies users via their devices or the devices themselves to allow users to access secure networks and resources from anywhere.
One-time password (OTP)
An OTP is used for single login or transaction authentication. Also known as a dynamic password, an OTP is a numeric or alphanumeric string of characters that is automatically generated and used to authenticate a user.
OTPs are usually triggered after a user completes one or more parts of multi-factor authentication. An OTP is sent to a user’s registered mobile phone or email, and then the user inputs the code to complete the authentication process.
Passwordless authentication does not require a knowledge-based authentication factor (e.g., password, passphrase, personal identification number or PIN, or an answer to a secret question). Users enter their user ID and are then prompted to enter one or more of three types of authentication factors to gain access to IT resources.
The three types of authentication factors used for passwordless authentication are:
- Inherence factors including biometrics, such as facial recognition, fingerprints, iris scans, and voice patterns
- Possession factors including a key fob, mobile phone, or security token
- Magic links, which are one-time-use uniform resource locators (URLs) sent to users via email or mobile phone for authentication; rather than entering a password for authentication, the user simply clicks the URL to gain access to IT resources
Note that MFA can be passwordless authentication, but not always. MFA deployments can use or not use passwords as part of authentication. In addition, passwordless authentication may be set up for MFA or single-factor authentication.
Single sign-on (SSO) authentication
SSO authentication allows users to log in and access multiple accounts and applications with a single set of credentials entered once. With SSO, applications outsource the authentication process to a trusted third party that has already taken the user through an authentication process.
Single-factor authentication (SFA) matches only one credential to gain access to an IT resource. When this single credential is a username and password, it is considered a weak form of authentication as this combination can be compromised, providing a single barrier to entry for unauthorized users. However, when SFA is a passwordless authentication, it is considered to be more reliable as passwordless authentication uses authentication factors that are significantly more difficult to compromise.
Two-factor authentication (2FA) adds one more layer of protection to the authentication process. This type of authentication uses two of the three types of authentication factors (i.e., knowledge, possession, and inference).
Three-factor authentication (3FA) is a type of MFA that requires the use of all three types of authentication factors.
Multi-factor authentication (MFA) includes 2FA and 3FA and can require more authentication factors from the core three groups.
Authentication vs authorization
Commonly interchanged, authentication and authorization are not the same.
|Authentication is the process of verifying who a user is.||Authorization is the process of verifying what a user is authorized to access.|
|Users are denied access if they cannot prove their identity.||Users are denied access if they are not authorized to access a resource.|
|Verifies a user’s credentials.||Grants or denies a user’s permissions.|
|Users can see the authentication process.||Users cannot see the authorization process.|
|Users can make some changes to their authentication elements.||Users cannot make changes to their authorization permissions.|
Increasingly Sophisticated Authentication Provides a Powerful Cyber Defense
Reports abound about how criminals are gaining ground in their fight against security defenses. Yes, they are getting better, but so are the security solutions available to keep them out.
Since it was introduced in the 1960s, authentication has rapidly and continuously evolved, getting stronger all the time. The explosion of AI and ML capabilities now available for authentication systems makes them more effective than ever. Organizations can take advantage of the latest authentication technology to enable safety for their IT resources.
You might also be interested in:
Smart, scalable, seamless identity security
Trusted by 48% of the Fortune 500