Authentication is the process of verifying identity. It requires the use of passwords, hardware tokens, or a number of other methods.
After reading this article you will be able to:
Related Content
Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!
Copy article link
In cyber security, authentication is the process of verifying someone's or something's identity. Authentication usually takes place by checking a password, a hardware token, or some other piece of information that proves identity. Just as an airline worker checks a passport or an identification card to verify a person's identity when they board a plane, computer systems need to be sure a person really is who they say they are. At an airport, this authentication process ensures only people with a ticket get on the plane; for digital systems, this ensures data is viewed and used by the right people.
Authentication does not just apply to verifying human users. Computer systems also need to check servers, software, APIs, and other computers to be sure they are who they "say" they are.
Authentication is an important part of identity and access management (IAM), which dictates who can view data and what they can do with it. But it applies to many other areas of security as well, including:
Because a computer cannot "recognize" a person or another computer the way a human can, the process of authentication relies on objective criteria that a computer can measure. One type of objective criteria involves checking for some quality that the person or computer in question is known to have. Another involves the use of a technology called public key cryptography to prove identity.
This type of authentication involves checking a measurable characteristic of identity against a corresponding digital record. The characteristics that an authentication system will check are called "factors." Three common authentication factors are widely used today:
1. Something the person knows
This authentication factor checks a piece of secret knowledge that only the real person should have. A username-and-password combination is the classic example of this factor. Security questions and PIN codes also are examples.
2. Something the person has
This authentication factor checks if the person possesses a physical item they were issued or are known to have. Many people use this authentication factor every day: they live in a house or an apartment that they can unlock with a metal key. Possession of this key, therefore, proves they are authorized to enter the premises, and enables them to do so.
In digital systems, this authentication factor does not rely on an old-fashioned lock and key. But it uses a similar principle by checking for a physical token. There are two types of tokens: soft tokens and hard tokens.
Soft tokens: A soft token involves verifying possession of a device, like a smartphone, by sending a code to that device and asking the user to enter it. The code may be sent as a text message or through an app that generates random codes.
Hard tokens: A hard token is a small physical item that connects to a computer or mobile device via Bluetooth, a USB port, or some other port. Users must plug this token into their device to verify their identity.
Some security experts consider hard tokens more secure than soft tokens. An attacker could remotely intercept a code on its way to a user's phone and use that code to impersonate the user. But it is much harder to steal a hard token: the attacker needs to physically access the token in order to do so.
3. Something the person is
This authentication factor assesses a person's inherent qualities. In real life, people do this all the time — two friends may recognize each other by their appearance or manner of speaking, for instance. A computer could do the same by scanning a person's face or retina, verifying their thumbprint, measuring the frequencies of their voice, or checking the results of a blood test (although this last one is more rare).
Additional authentication factors
Some members of the security industry have proposed or used additional authentication factors besides the three main ones listed above. Two of these additional factors are location (where a user is) and time (when they are accessing the system).
In addition to using the authentication factors described above, known and trusted entities can also be issued digital certificates. A digital certificate is a small digital file that contains information for verifying identity, just as an ID card contains information that verifies a person's identity in real life.
Digital certificates receive a digital signature to prove their authenticity from the authority that issues them, like how a passport, ID card, or piece of paper currency may have a watermark proving it is not counterfeit.
A digital certificate also contains a string of random values called a public key. The public key corresponds to a private key that is stored separately. The entity that has the certificate can digitally sign data with these keys to prove that it possesses the private key and is therefore authentic.
Currently, digital certificates are not often used to verify the identity of individual people. But most people rely on digital certificates every day without realizing it.
Whenever someone loads a website that uses HTTPS, the secure version of HTTP, the TLS protocol uses the website's digital certificate (called an SSL certificate or TLS certificate) to authenticate the website. DKIM, which authenticates email senders, is another example of a technology that uses this method instead of checking authentication factors. DKIM helps email providers sort and block spam emails.
Multi-factor authentication (MFA) is the process of verifying a person’s identity by checking two or more authentication factors, rather than just one. MFA is a stronger type of authentication than single-factor authentication, because it is much harder to fake two of these factors than it is to fake one of them.
An attacker might be able to steal Bob's username and password (perhaps through a phishing attack). But if Bob has to scan his face as well, the attacker will not be able to fake Bob's identity, since their face does not look like Bob's face. Or, if Bob has to plug a hard token into his computer in addition to entering his password, the attacker would have to steal this token as well. While possible, such a theft is much more difficult, making account takeover less likely.
For true MFA, separate factors have to be checked. Assessing multiple instances of one factor is not MFA. For instance, if an application has a user enter a password and answer security questions to authenticate, this is still single-factor authentication. Password entry and security questions both assess the "something you know" factor.
Because of the increased security it offers, MFA is a core principle of Zero Trust security, a security model that requires identity verification for every user and device that accesses a private network.
Two-factor authentication (2FA) is what MFA is called when exactly two factors are used. The most common type of two-factor authentication is "something you know" + "something you have." For instance, in addition to entering their passwords, many people have codes sent to their phones before they can access their bank accounts (an example of the "soft token" version of this factor).
Today, many businesses are employing 2FA in order to reduce the impact of phishing attacks. For example, Google was able to eliminate account takeover attacks by using 2FA with hard tokens for authentication.
While authentication is concerned with verifying identity, authorization is concerned with permissions, or what someone is allowed to do once they gain access to a protected system or resource.
Suppose Bob works in his company's marketing department. Bob enters his password, scans his face, and inserts his hard token to log in to his company's network. At this point, authentication is complete.
After logging in, Bob does not have access to every data file in the company's possession. Authorization determines what Bob can and cannot see. As a marketer, he is authorized to see some data, like a list of potential customers to whom the company will send marketing messages, but not other data, like the company's main codebase or its list of employee salaries.
See our article on authentication vs. authorization to learn more.
Modern corporate employees have to authenticate to many different cloud-based applications. This forces those employees to establish many sets of authentication factors — one set for each application — and creates potential security concerns:
Single sign-on (SSO) is a service that enables users to authenticate only once. Users sign in to the SSO service, which then passes on this authentication to every application by sending a digital authentication message to each application as needed.
SSO also gives IT teams a single point at which to enforce security policies. Not all applications support 2FA, but if the SSO service supports it, then 2FA can be used anyway. IT teams can also enforce requirements for password length and complexity via an SSO service, putting less of a burden on users to remember multiple passwords.
SSO authentication messages use a protocol called Security Assertion Markup Language (SAML). SAML is a standardized method for telling external applications that a user is who they say they are.
A message authenticating a user is called a SAML "assertion." Once an application receives a SAML assertion for a user, it does not need to authenticate the user on its own, because it knows the SSO service has already done this.
OpenID Connect (OIDC) is another authentication protocol that is growing in use by SSO providers. OIDC functions similarly to SAML, but it formats data differently, among other distinctions; while SAML formats data via XML, OIDC uses JSON.
Cloudflare offers a Zero Trust platform that works with all major SSO providers. Once users authenticate to their SSO service, Cloudflare enforces consistent access controls across cloud and on-premise applications. To learn more about this platform, which includes browser isolation, a secure web gateway, DNS filtering, and other Zero Trust features, see the product page.