Article
What is a user authentication policy?
User authentication is an access control process that verifies that any user (i.e., person or machine) is who or what they purport to be before granting them access to a system, network, or application. The steps for user authentication vary, but all have the objective of protecting sensitive information and resources from unauthorized access.
In some cases, user authentication requires only a username and password. In others, more complex combinations are used to verify identities.
How user authentication works
In a simple authentication process, a user inputs their credentials, such as a username and password. The system then checks these credentials against stored data. If the entered data matches the stored data, the system authenticates the user and grants them access to the resource (e.g., applications and systems).
One other part of authentication is access privileges, which are tied to the process. With a user’s authentication comes information about what they are authorized to access (e.g., content and controls) and what actions they are permitted to perform in the resource (e.g., read, write, edit, delete, copy, or share). When an authenticated user accesses a resource, they are restricted to the privileges they have been assigned.
The purpose of user authentication
User authentication safeguards sensitive data, aids in regulatory compliance, and enables personalized access to resources.
User authentication It secures and protects digital systems and data from unauthorized access and misuse by verifying users’ (i.e., people and machines) identities and enforcing access restrictions and is a key component of an organization’s broader cybersecurity framework.
Specific functions of user authentication include the following.
Access control
User authentication works with access control mechanisms to restrict access to resources, applications, or data to authorized users according to their assigned permissions.
Auditing
Logs are maintained while identifying and authenticating users and users’ activities, tracking who accessed what information, when, and for what purpose. This information is used for auditing, compliance, and forensic analysis.
Data protection
User authentication reduces the risk of data breaches and other cyber threats by restricting access based on valid credentials and privileges to protect sensitive data from unauthorized data exposure, theft, or manipulation.
Personalization
With user authentication, user experiences with resources can be personalized by identifying individual users and tailoring services, settings, and content according to their preferences and permissions.
Prevent unauthorized actions
User authentication can be used to control what authenticated users can do within an accessed resource to prevent unauthorized actions that could harm the system, compromise data, or result in a compliance violation.
Regulatory compliance
Most organizations are subject to regulations that mandate strict data protection for sensitive data, such as financial records, personally identifiable information (PII), and protected health information (PHI). User authentication facilitates compliance with these regulations by controlling and monitoring access to sensitive data.
Secure online services
Many online services, such as banking, shopping, and user portals collect and use sensitive information. User authentication ensures that interactions with these services are secure and conducted by the legitimate account holder to prevent unauthorized activities.
User authentication protocols
User authentication protocols are sets of rules that dictate how users are authenticated before they can access a system. They enable secure communication between users and services, defining how authentication is performed.
The following are examples of user authentication protocols. Each has its strengths and weaknesses; the choice of which is best depends on the system and security requirements of specific use cases.
Challenge-handshake authentication protocol (CHAP)
CHAP is a network protocol used to authenticate a network host or user to an authenticating entity. It provides continuous protection by periodically verifying the identity of the user or host throughout an established connection.
CHAP uses a three-way handshake process with a challenge issued by the authenticator, a hashed response from the user, and validation of this response. It helps prevent replay attacks and ensures secure network communications. CHAP is used in point-to-point protocol (PPP) connections, such as VPNs (virtual private networks) and ISPs (internet service providers).
Extensible authentication protocol (EAP)
EAP supports multiple user authentication methods within a single protocol. It allows for flexible authentication mechanisms, including passwords, digital certificates, public key encryption, smart cards, and token-based authentication. It enables secure authentication in various network environments, such as Wi-Fi, VPN, and dial-up connections.
Kerberos
Kerberos is a network authentication protocol designed for client-server environments that uses secret-key cryptography for secure authentication. It issues time-stamped tickets that prove the user’s identity to servers. Kerberos is used in secure corporate networks and Microsoft Active Directory environments.
OAuth
An open standard for access delegation, OAuth allows third-party services to exchange web resources on behalf of a user without revealing their password. It is used for token-based authentication authorizing third-party access to server resources, such as logging into a website using third-party credentials (e.g., browsers or social media platforms).
OpenID Connect (OIDC)
OIDC is a user authentication protocol built on OAuth 2.0 that provides identity verification for web and mobile applications. It enables single sign-on (SSO) and enables identity verification based on authentication performed by an authorization server to enhance security and improve users’ experience.
Password authentication protocol (PAP)
PAP is a user authentication method used in PPP connections. It involves the transmission of plaintext passwords from the client to the server.
While simple to implement, PAP is considered insecure because passwords are vulnerable to interception. EAP has largely replaced PAP, but it is still used with some legacy systems.
RADIUS (remote authorization dial-in user service)
RADIUS is a networking protocol used to provide centralized authentication, authorization, and accounting (AAA) services for network access. It allows for secure authentication of remote users connecting to a network to support access control and user management in diverse network environments.
RADIUS was designed to manage access to dial-up networks but is now used to support different network types, including wireless and wired networks and VPNs. ISPs most commonly use it to manage access to internet or email services.
SAML (security assertion markup language)
SAML is an XML-based framework used to exchange authentication and authorization data between parties. It is commonly used for exchanges between an identity provider and a service provider. SAML is also used for single sign-on (SSO) services.
Secure sockets layer (SSL) and transport layer security (TLS)
SSL and TLS are user authentication protocols designed for secure data transmission over networks. They are now also used for server authentication and client authentication using certificates.
SSL was the predecessor to TLS, which is its more secure and updated version. TLS is widely used to provide security for browsers, email, instant messaging, web browsing, and other applications that require secure data transmission over the internet.
User authentication policy benefits
- Demonstrates a commitment to security to foster trust with customers, clients, and partners
- Enables secure access to organizational resources from any location to support remote users
- Facilitates better user management by defining clear guidelines for user account creation, management, and termination
- Fortifies defenses against security threats that seek to leverage user behaviors
- Helps organizations adhere to strict data privacy requirements set forth in regulations
- Offers protection against phishing and other social engineering attacks
- Provides detailed audit trails of access attempts and system interactions
- Reduces the risk of cyber attacks that can result in data breaches and unauthorized access
- Streamlines access management processes with automated authentication systems
Types of user authentication
User authentication mechanisms can be broadly categorized based on the factors they use to verify an individual’s identity. Following are examples of a variety of user authentication types.
Five common types of user authentication
Something you are (inherence)
This refers to biometric verification methods used for user authentication, such as:
- Facial recognition
- Fingerprint scans
- Iris scans
- Voice recognition
Somewhere you are (location)
This factor authenticates a user based on their location. Methods used for location-based user authentication include:
- Geolocation-based authentication—uses the global positioning system (GPS) capabilities of the user’s device to determine their current location
- IP geolocation—analyzes the IP address of the user’s device to estimate their geographical location
- Proximity-based authentication—utilizes Bluetooth, Near Field Communication (NFC), or other proximity-based technologies to verify that the user’s device is physically close to a trusted authentication device (e.g., smartphone or wearable device)
- Wi-Fi network authentication—users authenticate themselves only when connecting to specific Wi-Fi networks (e.g., corporate networks or trusted hotspots)
Something you do (behavior)
Behavior-based authentication patterns that are uniquely associated with a user, such as:
- Gait recognition
- Interaction patterns
- Mouse movements
- Signature recognition
- Typing rhythm
- Voice recognition
Something you have (possession)
This token-based user authentication factor uses software tokens or apps that generate one-time passwords (OTPs) for a device, such as:
- Key fobs
- Mobile devices
- Security tokens
- Smart cards
Something you know (knowledge)
Knowledge-based authentication relies on information that is supposed to be known only by the user, such as:
- Passwords
- Personal identification numbers (PINs)
- Answers to security questions, which can be static (i.e., chosen during the account setup) or dynamic (i.e., randomly selected based on publicly available information)
Additional types of user authentication
In addition to the commonly recognized authentication factors noted above, the concept of authentication is being expanded to include more nuanced factors as technology capabilities advance.
Emerging factors used to extend or complement the traditional user authentication factors include the following.
Adaptive authentication
Also known as risk-based authentication, this method dynamically changes based on estimated risk as determined by contextual factors such as user behavior, location, device security status, and the type of data being accessed.
Certificate-based authentication
Digital certificates, verified by a trusted certificate authority (CA), are used to verify the identity of users or devices.
Device trust score
Device trust score is a metric that evaluates the security posture of a device. It is based on factors such as software updates, configuration, security events, device health, software updates, and jailbreak status.
Time-based authentication
Time-based authentication involves verifying a user’s identity based on the time of their authentication attempt. Examples of this are time-based one-time passwords (TOTP) and time-limited authentication tokens.
User authentication as an effective first line of defense
User authentication is often the first in a series of defense mechanisms to safeguard access to digital assets and maintain the confidentiality, integrity, and availability of systems and information. Effective user authentication systems and processes prevent unauthorized access, data breaches, and identity theft. User authentication should be the first of many layers of security controls to provide an effective defense against cyber threats.
Unleash the power of unified identity security
Mitigate cyber risk across the spectrum of access