While just one facet of cybersecurity, authentication methods are the first line of defense. This is the process of determining whether a user is who they say they are. Not to be confused with the step it precedes—authorization—authentication is purely the means of confirming digital identification, so users have the level of permissions to access or perform a task they are attempting.
There are many authentication methods, ranging from passwords to fingerprints, to confirm the identity of a user before allowing access. Doing so adds a layer of protection and prevents security lapses like data breaches, though it’s often the combination of different types of authentication that provides secure system reinforcement against possible threats.
Definition of authentication
In the context of cybersecurity, authentication is the process of verifying and confirming the identity of a user, device, or system before granting access to resources or information. It is a front-line defensive security measure used to ensure that individuals or entities can only access sensitive data or perform specific actions for which they are authorized.
The primary objective of authentication is to prevent unauthorized access and protect assets (e.g., applications, data, and systems) from malicious activities, such as identity theft, data breaches, and ransomware attacks. The systems used to implement and enforce authentication policies also support compliance efforts.
Importance of authentication in cybersecurity
Authentication is used to protect nearly every digital asset in an organization’s environment. It plays a critical role in protecting data, maintaining system and , and ensuring compliance with internal policies and external regulations. The following are several of the most commonly cited reasons why authentication is an important part of an organization’s overall security posture.
Prevents unauthorized access
Authentication ensures that only authorized users can access systems, applications, and data. This is fundamental to protecting digital assets from being accessed by unauthorized individuals or malicious actors.
Protects sensitive data
Most organizations create, store, and handle sensitive data such as personally identifiable information (PII) collected by human resources departments, financial information used by accounting teams, and intellectual property created and used by various groups in an organization.
Authentication mechanisms help safeguard this information from unauthorized access and potential breaches by verifying identities before granting access.
Mitigates security risks
By verifying the identity of users and entities, authentication reduces the risk of cyber attacks that can result in identity theft, financial loss, operational disruption, and data breaches. It defends against these and other threats with strong access controls administered through a layered approach.
Supports accountability
Authentication tools can create logs that detail all access instances. They can track which individual or entity accessed what resources and when tracing specific actions back to particular users or devices. This plays a vital role in monitoring for potential issues, auditing and investigations, and reporting in the wake of a security incident.
Supports compliance
Authentication is a requirement for compliance with many regulations and standards, such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley Act (SOX), Federal Information Security Management Act (FISMA), Gramm-Leach-Bliley Act (GLBA), ISO/IEC 27001, and many international security and privacy laws. These mandate that organizations implement and maintain robust authentication measures to protect sensitive data and ensure privacy.
Enhances trust
Strong authentication mechanisms ensure compliance with laws and standards and build trust among users, customers, and partners. The use of robust authentication demonstrates that the organization takes security seriously and is committed to protecting its data.
Reduces social engineering risks
Social engineering is the use of psychological manipulation as an attack vector for perpetrating malicious activities. Deception is used to trick individuals into breaking personal and organizational security protocols to support criminal activities.
Using advanced authentication methods, such as multi-factor authentication (MFA), prevents cyber attackers from gaining unauthorized access to applications, systems, or data from a single point of failure, such as compromised credentials. Layered approaches to authentication make it exponentially more difficult for attackers to gain access successfully because even if one layer of authentication has been compromised, others are still in place. These additional verification steps have proven to be highly effective in thwarting unauthorized access.
Supports identity management
Authentication plays a critical role in identity and access management (IAM). It helps organizations manage user identities and control access to resources by ensuring that only authorized users can access systems and data. Identity management systems (IDMS) use authentication methods (e.g., multi-factor authentication) to verify users' identities before granting access. Identity service providers (IdPs) are often used to support authentication systems, such as MFA and single sign-on (SSO).
Types of authentication
Based on their associated factors, there are three primary types of authentication: knowledge, possession, and inherence. Each has its pros and cons, but when used in conjunction, these types of authentication provide powerful protection from unauthorized access.
Knowledge-based authentication (something you know)
Knowledge-based authentication uses information that a user knows, such as a username and password combination or personal information, to verify their identity before they are allowed to proceed. The level of security offered by knowledge-based authentication depends on the type used. There are two types of knowledge-based authentication—static and dynamic.
Static knowledge-based authentication uses pre-selected information stored in the authentication system. In addition to credentials, examples of static authentication factors are security questions, such as first pet, favorite color, or mother's maiden name. Static verification offers the benefit of simplicity, but the common nature of the questions asked makes it easier for cyber attackers to find the answers.
Dynamic knowledge-based authentication generates random questions to authenticate users. It increases security by making it harder to research answers in advance. Because dynamic knowledge-based authentication generates questions on the fly, cyber attackers cannot predict the information that they need to circumvent security systems. These questions come from various data sources, such as collected credit history, financial information, and public records.
Possession-based authentication (something you have)
With possession-based authentication, a user’s identity is verified using physical possession of a specific object or device. These devices include a hardware token, a smart card, a USB key, and mobile devices, usually smartphones. The device is registered to an individual user and linked to the user’s identity, creating a unique connection between the user and the device.
Once set up, the device can be used as part of authentication processes. When a user attempts to log in to a resource, they are prompted to present the object or a unique identifier associated with the object. For instance, a token or smartphone could present a unique security code, and a scanner could be used to capture a person’s fingerprint. Possession factors offer enhanced protection because it is difficult for cyber attackers to get the device or spoof it.
Inherence-based authentication (something you are)
Inherence-based authentication verifies a user’s identity with their inherently unique biological traits that are nearly impossible to replicate or fake, such as a user’s fingerprint, voice, or iris. This is a very secure authentication method, but it has limitations.
One of the biggest concerns about inherence-based authentication is privacy, as this approach requires the collection and storage of an individual’s characteristics. Other drawbacks of inherence-based authentication are related to its implementation. This type of authentication requires specialized devices that can capture and process the data, and these systems can be costly and complex to support.
Authentication methods
Authentication keeps invalid users out of databases, networks, and other resources. These types of authentication use factors, a category of credential for verification, to confirm user identity. Here are just a few authentication methods.
Single-factor / primary authentication
Historically the most common form of authentication, single-factor authentication is also the least secure, as it only requires one factor to gain full system access. It could be a username and password, pin-number or another simple code. While user-friendly, single-factor authentication systems are relatively easy to infiltrate by phishing, key logging, or mere guessing. As there is no other authentication gate to get through, this approach is highly vulnerable to attack.
Two-factor authentication (2FA)
By adding a second factor for verification, two-factor authentication reinforces security efforts. It is an added layer that essentially double-checks that a user is, in reality, the user they’re attempting to log in as—making it much harder to break. With this method, users enter their primary authentication credentials (like the username / password mentioned above) and then must input a secondary piece of identifying information.
The secondary factor is usually more difficult, as it often requires something the valid user would have access to, unrelated to the given system. Possible secondary factors are a one-time password from an authenticator app, a phone number, or device that can receive a push notification or SMS code, or a biometric like fingerprint (Touch ID) or facial (Face ID) or voice recognition.
2FA significantly minimizes the risk of system or resource compromise, as it’s unlikely an invalid user would know or have access to both authentication factors. While two-factor authentication is now more widely adopted for this reason, it does cause some user inconvenience, which is still something to consider in implementation.
Single sign-on (SSO)
With SSO, users only have to log in to one application and, in doing so, gain access to many other applications. This method is more convenient for users, as it removes the obligation to retain multiple sets of credentials and creates a more seamless experience during operative sessions.
Organizations can accomplish this by identifying a central domain (most ideally, an IAM system) and then creating secure SSO links between resources. This process allows domain-monitored user authentication and, with single sign-off, can ensure that when valid users end their session, they successfully log out of all linked resources and applications.
Multi-factor authentication (MFA)
Multi-factor authentication is a high-assurance method, as it uses more system-irrelevant factors to legitimize users. Like 2FA, MFA uses factors like biometrics, device-based confirmation, additional passwords, and even location or behavior-based information (e.g., keystroke pattern or typing speed) to confirm user identity. However, the difference is that while 2FA always utilizes only two factors, MFA could use two or three, with the ability to vary between sessions, adding an elusive element for invalid users.
Common authentication factors
Each authentication factor belongs to a specific category of security controls. Security analysts choose factors in each category based on their requirements, availability, cost, ease of implementation, and other criteria. By blending factors from different categories, the overall security posture is significantly enhanced, as it is difficult for a bad actor to acquire or spoof many of these factors. The following are the main categories of authentication factors.
Passwords
Passwords are a form of knowledge-based authentication. Users are required to enter their credentials, a username and password combination, to verify their identity. The credentials are validated by checking them against a database of users’ credentials.
Credentials are either issued by an IT or security team or established when a user first attempts to access a service. Credentials for sensitive systems and data are usually issued by IT or security teams, whereas credentials for accounts (e.g., banks, stores, or services) are often set up by the user.
Beyond protecting the database where credentials are stored, the security of passwords as authentication is predicated on the establishment and enforcement of password policies. A key among these is the use of strong passwords.
CISA (the federal government’s Cybersecurity and Infrastructure Security Agency) recommends strong passwords be long, ideally at least 16 characters. CISA also recommends making them random by combining a string of capital and lowercase letters, numbers, and symbols or using a passphrase (e.g., SharkIceCardPurple). Another CISA recommendation for strong passwords is to make them unique, using different passwords for each account.
PINs
The PIN (personal identification number) factor uses a numeric code or password to authenticate the identity of a user. PINs are often used as part of possession authentication. They are dynamically generated and presented on devices for users to enter as part of an authentication process. Common uses for PINs as knowledge-based authentication are for ATMs and mobile devices (e.g., smartphones and tablets).
Security tokens
Security tokens are used for possession-based authentication. They can be hardware-based or software-based. Examples of hardware-based security tokens are USB tokens, smart cards, portable devices that display time-restricted codes, NFC (near-field communication) tokens for contactless authentication, and Bluetooth tokens that pair with a device when in proximity to authenticate. Software-based tokens include mobile authentication apps, one-time codes sent via text messages or email, push notifications that require users to validate a login attempt and browser extensions that generate and manage one-time passwords for web-based authentication.
Biometrics
Biometrics is considered a stronger authentication factor than passwords or PINs because it leverages physical or behavioral characteristics that are unique to individuals to verify their identity. These are difficult to forge or steal.
Types of biometric factors include fingerprints, facial recognition, hand geometry, iris recognition, retinal scans, voice recognition, gait analysis, vein patterns, DNA matching, and ear shape recognition. Users present their biometrics during the authentication process, and they compare them to the records that they have provided.
Biometrics are used for a number of access control use cases. These range from facial recognition to access a smartphone or fingerprint recognition to access a computer system to retinal and hand geometry scans to gain entry to a secured building or area or voice recognition to access account information from a phone.
Location
Geolocation can be used as an authentication factor by internet protocol (IP) addresses, global positioning system (GPS) coordinates, and network information to determine whether a user’s access request originates from an expected or trusted location. With location-based authentication, a baseline of normal login locations is established, and anomalies are flagged and trigger further authentication.
Behavior
Behavioral authentication is different from other types in that it supports continuous identity verification. It establishes user behavior baselines and monitors activity to detect deviations in how users interact with devices and applications. For example, keystroke analysis detects the unique timing patterns of how a user types, including the speed and pressure of key presses. Mouse movement can also be tracked and analyzed, such as the way a user typically navigates a screen. Behavior analytics tools can even track how a user holds and moves their device, including grip strength and angle.
What are the most common authentication protocols?
Authentication protocols are the designated rules for interaction and verification that endpoints (laptops, desktops, phones, servers, etc.) or systems use to communicate. For as many different applications that users need access to, there are just as many standards and protocols.
Selecting the right authentication protocol for the organization is essential for ensuring secure operations and use compatibility. Here are a few of the most commonly used authentication protocols.
Password authentication protocol (PAP)
While common, PAP is the least secure protocol for validating users, due mostly to its lack of encryption. It is essentially a routine log in process that requires a username and password combination to access a given system, which validates the provided credentials. It’s now most often used as a last option when communicating between a server and desktop or remote device.
Challenge handshake authentication protocol (CHAP)
CHAP is an identity verification protocol that verifies a user to a given network with a higher standard of encryption using a three-way exchange of a “secret.” First, the local router sends a “challenge” to the remote host, which then sends a response with an MD5 hash function. The router matches against its expected response (hash value), and depending on whether the router determines a match, it establishes an authenticated connection—the “handshake”—or denies access. It is inherently more secure than PAP, as the router can send a challenge at any point during a session, and PAP only operates on the initial authentication approval.
Extensible authentication protocol (EAP)
This protocol supports many types of authentication, from one-time passwords to smart cards. When used for wireless communications, EAP is the highest level of security as it allows a given access point and remote device to perform mutual authentication with built-in encryption. It connects users to the access point that requests credentials, confirms identity via an authentication server, and then makes another request for an additional form of user identification to again confirm via the server—completing the process with all messages transmitted, encrypted.
Kerberos
Kerberos is a protocol that is used for network authentication. It uses cryptographic keys to create tickets. Once a ticket is issued, it is used to validate the identity of clients and servers during a network session in lieu of passwords. It is often used in large environments to support SSO.
LDAP
LDAP (Lightweight Directory Access Protocol) is an open, standard protocol used for managing and maintaining directory information, such as authentication servers. Because applications can quickly query user information for authentication, it is widely used to manage organizations’ user credentials.
OAuth 2.0
OAuth (Open Authorization) 2.0 is an industry-standard authorization framework that allows a website or application to access resources hosted by other web apps on behalf of a user. Access is limited to authorized actions for each user. The broad appeal of OAuth 2.0 is that the client app can perform actions on behalf of a user, and the user never has to share their credentials because the exchange is handled through application programming interfaces (APIs) and passed authentication tokens.
RADIUS
RADIUS (Remote Authentication Dial-In User Service) is a network protocol that provides centralized authentication and accounting. It allows remote users to access virtual private network (VPN) servers, which accept requests from remote users and establish secure connections to a private network.
SAML
SAML (Security Assertion Markup Language) is an open, standard, XML-based protocol for exchanging authentication and authorization data between identity providers (IdPs) and service providers. It enables single sign-on authentication across service providers.
