What is authentication
Authentication methods and best practices
Since the dawn of civilization, mankind has looked for secure yet convenient ways to authenticate identities to allow access to only those who are authorized and stay one step ahead of threat actors. Facial features, tokens, cryptography, signatures, fingerprints, and passwords were just some of the authentication methods used before the digital age. An evolution of these techniques fuels authentication today.
For example, instead of relying on the human eye to recognize facial features, we rely on biometrics tools to authenticate a person by their iris, retina, fingerprint, voice, or other distinct biological characteristics. Similarly, instead of physical tokens, security systems issue digital tokens to users who have successfully proven their identities.
Yet, threat actors continue to find ways to bypass authentication. In a previous age, criminals may have forged seals to bypass security. Today, more cybercriminals are stealing auth tokens to bypass MFA (multi-factor authentication), sometimes to devastating effect. For example, hackers hijacked session tokens to spectacularly take over three Linus Media Group YouTube channels.
Cybersecurity teams at technology giants like Google, Microsoft, and Apple are constantly looking to improve their authentication systems to protect users and organizations alike from increasingly clever and frequent cybersecurity attacks.
However, many users would rather have more convenience than security, which would explain Microsoft users’ slow MFA adoption despite 25.6 billion account hijacking attempts using brute-forced stolen passwords in 2021. It may also explain why Microsoft disabled Basic authentication for Exchange Online in favor of Modern authentication, featuring options like MFA, smart cards, certificate-based authentication (CBA), and third-party Security Assertion Markup Language (SAML) identity providers.
Read our in-depth guide for more on:
- Authentication meaning.
- Two-factor authentication vs multi-factor authentication.
- Authentication vs authorization.
- Methods of authentication.
- Passwordless authentication.
Authentication is a cybersecurity method that helps verify the identity of a system or a user. The most common authentication method is through usernames and passwords. Other authentication methods, such as biometric verification, are more sophisticated and thorough. An example of authentication would be if you try to access your email, you will need to enter your username and password to get into your mailbox.
Why is authentication important?
Authentication is critical to protecting our security and privacy. We complete many different types of actions online, from working and communicating to shopping or storing private data, typically remotely. Authentication helps preserve the integrity of any digital space, such as banks, cloud computing platforms, social media pages, and others, by mitigating the risk of unauthorized access. It’s because of authentication that we can trust physically unseen systems and identities.
Some authentication tools can also slow down or stop a cyber attack. For example, a cybercriminal with a stolen username and password may breach an account to steal data, drop malware, or initiate a Man-in-the-Middle (MitM) attack. However, their lateral movements may be stopped in a system with deeper authentication protocols.
Authentication is also essential because it increases user accountability. An authenticated user may be less likely to engage in malicious activity because they know they’re being tracked. Authentication can help organizations from some industries comply with security and privacy laws by improving data security.
What is authentication used for?
Authentication can be used for various purposes:
- Device security: All types of devices with operating systems implement authentication for security, including desktops, laptops, smartphones, tablets, and even a wide range of Internet of Things (IoT) devices.
- Account security: Multiple platforms leverage authentication to enhance account security. For example, email and social media accounts use authentication to prevent unauthorized users from accessing accounts. Financial platforms protect online banking, digital payments, and e-commerce from fraud with authentication.
- Cloud computing: As more organizations switch to cloud computing platforms like Microsoft Azure, authentication is used for the security of assets, data, and operations. Authentication is also used for the security of organizations with on-premises assets, such as networks and systems that adopt remote working.
- Access control: Not only is authentication used for external security but internal security too. Organizations can use authentication to ensure that staff can access networks, applications, and data on a need-to-know basis.
Authentication vs authorization
Although authentication and authorization seem similar, and the two terms are sometimes incorrectly used interchangeably, they’re two different concepts in cybersecurity. The long explanation is that authorization is the process of verifying identity by login credentials, facial features, voice, or an authentication token. Authorization is what happens after authentication. Once the system has authenticated a system or person’s identity, it allows the entity to access resources or perform actions based on their privileges.
The short authentication vs authorization explanation is that the former determines whether an entity is allowed access, and the latter determines what resources they can engage with after authorization.
Commonly used authentication factors
Anyone who has used a modern operating system or worked on a cloud computing platform knows that there are many different types of authentication methods and tools, such as PINs (Personal Identification Numbers), fingerprints, tokens, and IP addresses. These methods or tools fall into different categories called authentication factors.
A knowledge factor is considered to be anything a user knows, like a password or an answer to a security question. Knowledge factors are typically fast but vulnerable to hacking. For example, passwords can be stolen. Weak passwords are susceptible to brute-force attacks like dictionary attacks.
We highly recommend that you learn how to create a strong password to shield your accounts. You may also consider using a top password manager to manage your list of complex login credentials.
A possession factor can be more secure than a knowledge factor because it requires a user to be in possession of a certain item, like a token or a smartphone, to prove their identity. For example, a system may send a one-time password to a user’s smart device when they’re trying to gain access. However, possession factors aren’t perfect either, as possessions can be hijacked or stolen.
One of the most secure authentication factors is the inheritance factor because it relies on a user’s unique physical characteristics like a fingerprint or iris.
The biggest drawback to relying on inheritance factors is that the system’s hardware must be capable of absorbing and processing biometric data, though most modern devices have such features.
An inheritance factor can also prove to be too effective in rare circumstances. For example, there have been multiple instances of the next-of-kin being unable to access their deceased child’s cryptocurrency because their device is protected by an inheritance factor.
An organization, such as a streaming service, can use a location factor like geo-blocking to restrict access to users from specific locations. For example, a streaming service like Netflix USA may block users from Canada from viewing some content. However, location factors usually have workarounds. For example, someone in Canada could theoretically utilize a private VPN to mask their location and access Netflix USA.
A behavior-based authentication factor requires a user to perform certain actions to prove their identity. For example, they may be required to draw certain patterns or solve a reudementary puzzle to prove they’re human and not a bot. Google’s reCAPTCHA uses a risk analysis engine and tracks mouse movements to check for human behavior.
Types of authentication
The most common form of authentication, password-based authentication, is the process of verifying a user’s identity by having them provide a password that matches the stored one completely. The system will reject a password that mismatches the stored password by even one character.
As mentioned, hackers can guess weak passwords very quickly by utilizing the latest tools. That’s why users should set passwords that are at least 10 characters long and complex and change passwords periodically.
Multi-factor authentication (MFA)
MFA was born due to necessity. Even the most sophisticated password can be stolen. With multi-factor authentication, unauthorized users may have to authenticate their identity in another way if they trigger the system’s security system. For example, if a system identifies a new device or IP address during a login attempt, it may ask for a PIN or a token, even if the user presents the correct login credentials.
Two-factor authentication (2FA)
Many people wonder about the difference between 2FA and MFA. The answer is that 2FA is essentially a subset of MFA. As mentioned, MFA asks for two or more authentication factors. 2FA only asks for two, typically a password and a passcode sent to an email account or mobile device. You can read up on the basics of two-factor authentication to learn more.
While users of social media pages use 2FA to protect their accounts, some platforms are, unfortunately, monetizing account security. For example, you may have read about Twitter and two-factor authentication, where the platform is dramatically shaking up security settings. Since March 19, users can’t use SMS-based 2FA without paying for a subscription.
However, users have other options (for now). For example, they can set up two-factor authentication on Twitter using a hardware key for advanced security. A hardware key is a better tool for security than SMS, which is open to a swim-swapping attack.
Single-factor authentication (SFA)
As its name suggests, SFA only requires users to offer one piece of authentication. Typically, a password is the most common type of SFA. Although SFA can be more convenient than MFA, it can be significantly less secure, especially if the authentication type is weak. SFA is also vulnerable to social engineering attacks like phishing.
With this type of authentication, a system uses a digital certificate. Certificate-based authentication is more secure than passwords because the certificates are sophisticated, use keys, and are revocable by the issuing authority. High-profile organizations such as governments use this cryptographic technique for enhanced security.
As mentioned, biometric authentication relies on unique physical characteristics like fingerprints, voices, and irises to protect systems. Biometric authentication is the most secure and convenient form of authentication.
Web applications, APIs, and other systems often use tokens to authenticate users. In a nutshell, a token is a unique identifier that’s issued to an authorized user. While tokens are growing in usage due to the rise of hybrid work environments, token theft is also increasing.
A basic authentication system only asks for a username and password to authenticate a user. Systems that use basic methods are more susceptible to hackers. Only internal testing resources or public systems like public WiFi use basic authentication nowadays. Basic authentication is primarily why users must be more careful when using public WiFi.
As users and organizations require more convenience with security, passwordless authentication options such as biometrics, security keys, tokens, and one-time codes are growing in popularity in enterprise environments and consumer-used platforms.
In addition to extra convenience, passwordless authentication can provide more security because many users continue to use weak passwords or fall victim to phishing attacks that attack credentials.
Knowledge-based authentication (KBA)
KBA is a type of authentication that tests a person’s knowledge of the information they’ve saved to authenticate their identity. Examples of KBA include answering questions about the street they grew up on, their favorite color, or their mother’s maiden name.
There are several reasons why KBA is a weak authentication method. With more user data publicly available on message boards and social media platforms like LinkedIn and Facebook, it’s easier for a threat actor to farm the required data to bypass KBA. In addition, users are less likely to set complex answers to secret questions than they are to set complex passwords.
Mutual authentication, also known as two-way authentication, is a type of authentication where both parties in a connection verify each other, typically with digital certificates. Although mutual authentication is used most commonly by communication protocols like Transport Layer Security (TLS) and Secure Sockets Layer (SSL), many Internet of Things (IoT) devices also use the technique in device-to-device connections.
SMS authentication uses text messages as a component of MFA. SMS authentication works best when the authentication methods are unadulterated. For example, a wireless carrier had a bright idea of mixing SMS authentication with an ad, which could allow threat actors to design more compelling smishing attacks.
Network or server authentication
Network authentication refers to the identification of users who are trying to gain access to a network or server. This type of authentication is used in communication protocols, VPNs, firewalls, and systems that control access to applications.
Secret key authentication
In a system that uses secret key authentication, the user and the system share a cryptographic session key that’s only known to the two parties. These keys are symmetric. In other words, they work for encryption and decryption. Communication protocols like Secure Sockets Layer (SSL) use secret key authorization to ensure the security of data transfer, like between a web browser and a website.
Physical security key
A physical security key is a piece of hardware that helps a user prove their identity and is an example of possession factor. A physical security key typically generates a unique code that is shared with a system for authentication. Physical security keys were only used by high-profile organizations, such as banks and intelligence agencies, over a decade ago.
However, many different types of platforms, such as gaming, ecommerce, and social media allow users to protect their accounts with physical security keys nowadays. For example, users can enable Facebook’s hardware key authentication for iOS and Android for an extra layer of possession factor security around their accounts.
Authentication best practices
- Watch out for malware designed to steal credentials or sensitive data, such as some kinds of Trojans, spyware, and keyloggers. Please also learn how to remove a keylogger because it can harvest keystrokes, screenshots, and other information to trick an authentication system.
- Set passwords that are at least ten characters long and carry a mix of numbers, symbols, and alphabets.
- Avoid using known patterns in passwords, such as a birthdate or the name of a favorite celebrity.
- Never store your login credentials in plain sight, such as a piece of paper on your desk. Encrypt passwords in devices.
- Give your password a helping hand by using MFA methods such as biometric identification or a security key.
- Be wary of social engineering attacks designed to steal your credentials.
- Avoid reusing your password; otherwise, a stolen password may result in multiple account breaches.
- Change your password regularly. Try using a reputable password manager for convenience.
- Encourage your organization’s network administrator to limit session lengths to prevent session hijacking.
- Administrators must monitor authentication logs and network data to react quickly to suspicious activity, such as multiple access attempts from suspicious IP addresses.
- Organizations should consider adopting a zero-trust architecture for greater security.
Authentication is the process of verifying the identity of a user, device, or system. It is a security mechanism used to ensure that the person or entity attempting to access a resource is authorized to do so.
An example of authentication is when you log in to your email account using your username and password. The system checks your credentials against a database of authorized users to verify that you are who you claim to be. If your credentials match, you are granted access to your email account. This helps to prevent unauthorized access to your emails and protect your personal information.
Knowledge-based authentication: This type of authentication involves the user providing information that only they should know, such as a password, PIN, or answer to a security question.
Possession-based authentication: This type of authentication involves the user providing proof of possession of a physical object, such as a security token, smart card, or mobile device.
Inherence-based authentication: This type of authentication involves the user providing biometric information, such as a fingerprint, facial recognition, or iris scan, to verify their identity.