Free Demo Contact
Authentication

Authentication (AuthN)

Where identity and access management begins with identification, authentication is the second step. Authentication, often abbreviated as 'AuthN', is one of the security processes within the IAM framework. What exactly do we mean by authentication in this context? And how does it differ from a related concept, such as authorization? Read on for the answers.

What is Authentication?

Authentication is a critical component of an identity and access management (IAM) system. It refers to the processes and mechanisms used to verify the identity of a user, application, or device. In other words, is the user, application, or device actually who or what it claims to be? An authentication system compares the presented digital identity with the authenticity attributes and data known to your organization. Authentication is the second step in the IAM security process.

Nearly every internet user encounters authentication daily. For example, signing in to your business or personal Google or Outlook account. After entering your username or email address (identification), Google and Microsoft prompt for a password. The user then enters it. If the entered password matches the stored password, the system assumes you are the legitimate user and authentication succeeds.

What Are the Most Common Authentication Factors?

There are several authentication factors, also called credentials, each with its own advantages and disadvantages. These can be grouped into the categories 'something you know', 'have ', 'are', or 'do'. Some of the most important and common are:

  • Passwords: the most common authentication factor, in which a user provides a username and password to access a system or service. If a user has the correct secret combination of letters, numbers, and or characters that the user knows, the system assumes the digital identity is valid and grants the user access. It is important that a password is not too simple or obvious, and therefore hard to guess.

  • One-time passcodes: this is a verification factor where you must have received a one-time code, for example via SMS or an authenticator app, and provide it in order to sign in. These codes typically have a limited validity period and cannot be reused.

  • Biometric factors: this is a type of credential that verifies a user based on physical, or what you are -based factors such as an iris scan, facial recognition, or fingerprint. Think of FaceID on an Apple iPhone.

What is Strong Authentication?

Attackers are becoming more sophisticated and professional, so more organizations and software vendors now require strong authentication. The user must complete multiple authentication steps, not just one. To ensure strong authentication is actually safer than traditional forms, it is important to use a combination of different factor types. Using two passwords does not necessarily make the sign-in process more secure. Both can still be cracked or guessed. If you combine an SMS passcode with an authenticator app, someone with a stolen phone could still gain improper access. However, combining completely different authentication factors reduces the risk that someone will gain unauthorized access to data, applications, and systems.

We can categorize authentication into the following types, with the last two representing strong authentication methods.:

  • Single-Factor Authentication: This is the simplest but least secure form of authentication. The user only needs to provide one credential, or 'factor', to verify identity. This is usually a password, but it can also be a one-time passcode retrieved via a linked smartphone app.

  • Two-Factor Authentication: This form of authentication is rapidly gaining adoption and requires the user to provide two proofs to verify identity. This is often a combination of something the user knows (such as a password) and something the user has (such as an access card or a one-time code sent to a phone).

  • Multifactor Authentication: This type of authentication requires the user to provide more than two pieces of evidence to verify identity. This can be a combination of something the user knows, something the user has, and something the user is (such as a biometric factor like a fingerprint or an iris scan).

What is the Difference Between Authentication and Authorization?

Authentication is often mentioned in the same breath as authorization. Although the two concepts are related and both are part of the IAM process, they do not mean the same thing.

We can clarify the difference between authentication and authorization with an analogy. Suppose a cleaning crew arrives after hours to tidy your office or company building. The ID card that the cleaners show the security guard serves as authentication, allowing them to enter the building, and is comparable to the credentials users enter to sign in to a digital system.

Authorization comes into play when discussing where the cleaning crew may go in the building and what they are allowed to do. For example, the guard may allow the cleaners to move items temporarily to clean every corner of the office. They are not permitted to enter the server room or use company equipment to check their email.

The security guard in the example represents the IAM system that is responsible for both authentication and authorization. In summary, the difference between authentication and authorization in an IAM context comes down to the following:

  • Authentication verifies a user's identity using a username, password, and or other authentication factors.

  • Authorization determines which protected areas of an application or system the user can then access.

Put simply, authentication verifies identity, while authorization grants access to information and allows actions to be performed.

Related Articles