Authentication
The process of verifying the identity of a user, device, or system before granting access
Also known as: AuthN, Identity Verification, User Authentication
Category: Principles
Tags: security, identity, access-control, verification
Explanation
Authentication is the security process of verifying that someone or something is who or what it claims to be. It answers the question 'Who are you?' and forms the foundation of access control in any secure system. Without reliable authentication, authorization decisions become meaningless.
Authentication factors fall into three categories: something you know (passwords, PINs, security questions), something you have (smart cards, tokens, mobile phones), and something you are (fingerprints, facial recognition, voice patterns). Multi-factor authentication (MFA) combines two or more of these factors for stronger security.
Common authentication methods include: password-based authentication (most common but vulnerable to attacks), certificate-based authentication (using digital certificates), biometric authentication (physical characteristics), token-based authentication (hardware or software tokens), and single sign-on (SSO) allowing one authentication for multiple systems.
Authentication faces numerous threats: password attacks (brute force, dictionary, credential stuffing), phishing (tricking users into revealing credentials), man-in-the-middle attacks (intercepting authentication exchanges), and session hijacking (stealing authenticated sessions).
Best practices include: enforcing strong password policies, implementing MFA especially for sensitive systems, using secure protocols (HTTPS, OAuth 2.0), monitoring for failed authentication attempts, and educating users about phishing. Modern systems increasingly use passwordless authentication methods like FIDO2/WebAuthn to eliminate password-related vulnerabilities entirely.
Related Concepts
← Back to all concepts