Authentication is the process of verifying identity. It requires using passwords, hardware tokens, or several other methods.

In cyber security, authentication is verifying someone’s or something’s identity. Authentication usually occurs by checking a password, a hardware token, or some other information proving identity. Just as an airline worker checks a passport or an identification card to verify a person’s identity when they board a plane, computer systems need to be sure a person is who they say they are. At an airport, this authentication process ensures only people with a ticket get on the plane; for digital systems, this ensures data is viewed and used by the right people.

Authentication does not just apply to verifying human users. Computer systems also need to check servers, software, APIs, and other computers to be sure they are who they “say” they are.

How is authentication used in a security context?

Authentication is an important part of identity and access management (IAM), which dictates who can view data and what they can do with it. But it applies to many other areas of security as well, including:

  • TLS: Almost all major websites support Transport Layer Security (TLS) today. TLS, among other functions, authenticates the identity of a web server to ensure user devices do not load fake websites.
  • APIs: Most modern web applications rely on APIs to function. Properly secured APIs authenticate both endpoints of the API integration to prevent attacks directed at those APIs.
  • Email: Emails are authenticated using DomainKey Identified Mail (DKIM). DKIM helps ensure email messages come from servers allowed to use the domain (e.g., @zpenterprises.co) that the email comes from. Non-authenticated email messages are likely to end up in spam folders.

How does authentication work?

Because a computer cannot “recognize” a person or another computer the way a human can, the authentication process relies on objective criteria that a computer can measure. One type of objective criteria involves checking for some quality that the person or computer in question is known to have. Another involves using a technology called public key cryptography to prove identity.

Verifying identity via authentication factors

This type of authentication involves checking a measurable characteristic of identity against a corresponding digital record. The characteristics that an authentication system will check are called “factors.” Three common authentication factors are widely used today:

1. Something the person knows

This authentication factor checks a piece of secret knowledge that only the real person should have. A username-and-password combination is a classic example of this factor. Security questions and PIN codes are also examples.

2. Something the person has

This authentication factor checks if the person possesses a physical item they were issued or is known to have. Many people use this authentication factor daily: they live in a house or an apartment that they can unlock with a metal key. Possession of this key, therefore, proves they are authorized to enter the premises and enables them to do so.

In digital systems, this authentication factor does not rely on an old-fashioned lock and key. However, it uses a similar principle by checking for a physical token. There are two types of tokens: soft tokens and hard tokens.

Soft tokens: A soft token involves verifying possession of a device, like a smartphone, by sending a code to that device and asking the user to enter it. The code may be sent as a text message or through an app that generates random codes.

Hard tokens: A hard token is a small physical item that connects to a computer or mobile device via Bluetooth, a USB port, or some other port. Users must plug this token into their device to verify their identity.

Some security experts consider hard tokens more secure than soft tokens. An attacker could remotely intercept a code on its way to a user’s phone and use that code to impersonate the user. But it is much harder to steal a hard token: the attacker must access it to do so physically.

3. Something the person is

This authentication factor assesses a person’s inherent qualities. In real life, people do this all the time — two friends may recognize each other by their appearance or manner of speaking, for instance. A computer could do the same by scanning a person’s face or retina, verifying their thumbprint, measuring the frequencies of their voice, or checking the results of a blood test (although this last one is rare).

Additional authentication factors

Some security industry members have proposed or used additional authentication factors besides the three main ones listed above. Two additional factors are location (where a user is) and time (when accessing the system).

Verifying identity via digital certificates

In addition to using the authentication factors described above, known and trusted entities can also be issued digital certificates. A digital certificate is a small digital file containing information for verifying identity, just as an ID card verifies a person’s identity in real life.

Digital certificates receive a digital signature to prove their authenticity from the authority that issues them, like how a passport, ID card, or piece of paper currency may have a watermark proving it is not counterfeit.

A digital certificate also contains a string of random values called a public key. The public key corresponds to a private key that is stored separately. The entity with the certificate can digitally sign data with these keys to prove that it possesses the private key and is, therefore, authentic.

Currently, digital certificates are not often used to verify the identity of individual people. But most people rely on digital certificates every day without realizing it.

Whenever someone loads a website that uses HTTPS, the secure version of HTTP, the TLS protocol uses the website’s digital certificate (called an SSL certificate or TLS certificate) to authenticate the website. DKIM, which authenticates email senders, is another example of a technology that uses this method instead of checking authentication factors. DKIM helps email providers sort and block spam emails.

What is multi-factor authentication (MFA)?

Multi-factor authentication (MFA) is verifying a person’s identity by checking two or more authentication factors rather than just one. MFA is a stronger type of authentication than single-factor authentication because it is much harder to fake two of these factors than it is to fake one of them.

An attacker might be able to steal Bob’s username and password (perhaps through a phishing attack). But if Bob also has to scan his face, the attacker will not be able to fake Bob’s identity since their face does not look like Bob’s face. Or, if Bob has to plug a hard token into his computer in addition to entering his password, the attacker would have to steal this token as well. While possible, such a theft is much more difficult, making account takeover less likely.

For true MFA, separate factors have to be checked. Assessing multiple instances of one factor is not MFA. For instance, if an application has a user enter a password and answer security questions to authenticate, this is still single-factor authentication. Password entry and security questions assess the “something you know” factor.

Because of its increased security, MFA is a core principle of Zero Trust security, a security model that requires identity verification for every user and device that accesses a private network.

What is two-factor authentication (2FA)?

Two-factor authentication (2FA) is what MFA is called when exactly two factors are used. The most common type of two-factor authentication is “something you know” + “something you have.” For instance, in addition to entering their passwords, many people have codes sent to their phones before accessing their bank accounts (an example of the “soft token” version of this factor).

Today, many businesses are employing 2FA to reduce the impact of phishing attacks. For example, Google was able to eliminate account takeover attacks by using 2FA with hard tokens for authentication.

What is the difference between authentication and authorization?

While authentication is concerned with verifying identity, authorization is concerned with permissions or what someone can do once they gain access to a protected system or resource.

Suppose Bob works in his company’s marketing department. Bob enters his password, scans his face, and inserts his hard token to log in to his company’s network. At this point, authentication is complete.

After logging in, Bob cannot access every data file in the company’s possession. Authorization determines what Bob can and cannot see. As a marketer, he is authorized to see some data, like a list of potential customers to whom the company will send marketing messages, but not other data, like the company’s main codebase or list of employee salaries.

See our article on authentication vs. authorization to learn more.

What is single sign-on (SSO)?

Modern corporate employees have to authenticate to many different cloud-based applications. This forces those employees to establish many sets of authentication factors — one set for each application — and creates potential security concerns:

  • One application with weak security could enable an attacker to compromise that application, move laterally, compromise the user’s other application accounts, and spread to the rest of the organization.
  • Requiring users to sign in to multiple applications incentivizes them to stop following good security practices. A user may start using weak passwords or the same password for every application since memorizing multiple randomized 16-digit passwords can be challenging.

Single sign-on (SSO) is a service that enables users to authenticate only once. Users sign in to the SSO service, which then passes on this authentication to every application by sending a digital authentication message to each application as needed.

SSO also gives IT teams a single point to enforce security policies. Not all applications support 2FA, but if the SSO service supports it, then 2FA can be used anyway. IT teams can also enforce password length and complexity requirements via an SSO service, putting less of a burden on users to remember multiple passwords.

What is Security Assertion Markup Language (SAML)?

SSO authentication messages use a protocol called Security Assertion Markup Language (SAML). SAML is a standardized method for telling external applications that users are who they say they are.

A message authenticating a user is called a SAML “assertion.” Once an application receives a SAML assertion for a user, it does not need to authenticate the user independently because it knows the SSO service has already done this.

SAML vs. OpenID Connect (OIDC)

OpenID Connect (OIDC) is another authentication protocol that is growing in use by SSO providers. OIDC functions similarly to SAML, but it formats data differently, among other distinctions; while SAML formats data via XML, OIDC uses JSON.


Nord VPN
60% off Nord VPN
Coinbase - Getty Images - 1234552839
Coinbase – Crypto Currency – Sign up with this link and get $10 free?! Buy/sell/exchange crypto, and use their ATM card to access your cash easily!
Chase Sapphire Preferred - Travel Points
NordPass - Password Manager - CJ Banner
https://www.dpbolvw.net/click-100604079-15345170
Binance Cryptowallet - Buy/Sell
Binance Blockchain
Amazon - Daily Deals
Amazon’s Daily Deals!
Your favorite restaurants are delivered to your front door! Grubhub!
Game Fly
Game Fly Video Game Rentals!

Please enter CoinGecko Free Api Key to get this plugin works.