Authentication (AuthN)
Where identity and access management starts with identification, authentication is the second step. Authentication, often referred to by the abbreviation ‘AuthN’, is one of the security processes within the IAM framework. But what exactly do we mean by authentication in this context? And what is the difference with a related term such as authorisation? Continue reading to find out.
In this article
What is authentication?
Authentication is an essential part of an identity and access management (IAM) system and refers to the processes and mechanisms used to verify the identity of a user, application or device. In other words: is the user, application or device genuinely who or what they claim to be? An authentication system compares the given digital identity with the authenticity features and data known to you. Authentication is the second step in the IAM security process.
Pretty much every internet user deals with authentication on a daily basis. For instance, when logging into a corporate or personal Google or Outlook account. After entering your username or email adress (an act of identification), both Google and Microsoft request a password. Following this, if the entered password matches the stored one, the system assumes you are the legitimate user, thus successful authentication is achieved.
What are the most common authentication factors?
There are multiple methods of authentication, commonly referred to as ‘credentials’. Each has its strengths and weaknesses. These are broadly classified into things you know, possess, are, or actions you perform. Among the most notable and frequently used are:
- Passwords: This is the predominant authentication factor where a user provides a username and password to access a system or service. If a user knows the right secret combination of letters, numbers and/or symbols, the system presumes the digital identity is valid and grants the user access. It is essential that passwords are not too simplistic or obvious, making them challenging to guess.
- One-time pin codes: This authentication method requires users to enter a code they receive, often through an SMS or an authenticator app, in order to log in. Typically, these codes have a limited validity period and cannot be used multiple times.
- Biometric features: This is a type of credential that authenticates a user based on physical, or what you might call inherent, factors such as an iris scan, facial recognition or fingerprint. FaceID on an Apple iPhone is a good example of this.
What is strong authentication?
As cyber threats evolve, hackers are becoming more adept and advanced, prompting a growing number of companies and software solutions to mandate strong authentication. In this process, users must undergo not just one, but multiple steps of authentication. To ensure that strong authentication is genuinely more secure than traditional authentication methods, it is vital to employ a mix of different types of factors. Merely using two passwords doesn’t necessarily make the login process more secure as both could still be potentially cracked or guessed. If you pair an SMS pin code with an authentication app, someone with a stolen phone might still gain unauthorised access. However, if you combine entirely different authentication factors, you reduce the risk of someone gaining unauthorised access to data, applications and systems.
We can distinguish the following forms of authentication, with the last two being categorised as ‘strong authentication’:
- Single-factor authentication: This is the simplest, yet least secure form of authentication. Users only need to provide a single credential, or ‘factor’, to confirm their identity. Typically, this would be a password, but it could also be something like a one-time pin code retrieved via a linked smartphone app.
- Two-factor authentication: This form of authentication is rapidly gaining popularity and requires the user to provide two pieces of evidence to verify their identity. It’s often a combination of something the user knows (such as a password) and something the user has (such as an access card or a one-time code sent to their phone).
- Multi-factor authentication: This type of authentication requires the user to provide more than two pieces of evidence to verify their identity. For instance, it can be a combination of something the user knows, something the user has and something inherent to the user (e.g. a biometric factor such as a fingerprint or iris scan).
Authentication is frequently mentioned alongside authorisation. Although the two terms certainly overlap and both form part of the IAM process, they do not mean the same thing.
We can illustrate the difference between authentication and authorisation using an analogy. Suppose a cleaning crew comes in, outside of business hours, to clean your office building. The ID card they present to the security guard serves as their authentication, granting them access to the building. Similarly, a user’s login details function as their authentication, providing them access to a digital system.
Authorisation pertains to where the cleaning crew is permitted to go within the building and what they are allowed to do. For instance, the security guard might allow the cleaners to move items and temporarily rearrange things to thoroughly clean every corner of the office. However, they are not permitted to enter the server room or use the company’s equipment to check their emails.
In the above example, the security guard represents the IAM (Identity and Access Management) system, responsible for both authentication and authorisation. To summarise, the difference between authentication and authorisation in an IAM context is:
- Authentication verifies a user’s identity using a username, password and/or other authentication factors.
- Authorisation determines which protected parts of an application or system the user can subsequently access.
In essence, authentication is about verifying identity, while authorisation concerns granting access to information and carrying out actions.