Authentication

What Is Authentication?

Authentication is the process of verifying the identity of a user, process, or device, typically as a prerequisite to granting access to resources in an information system. Distinct from authorization, which determines what an authenticated entity is permitted to do, authentication answers the prior question of who or what is making the request. The process can also extend to data: message authentication verifies that a piece of information originated from a claimed source and has not been altered in transit. Both identity authentication and data authentication are foundational to the security of networked systems.

The NIST Glossary of Information Security Terms defines authentication as the verification of a claimant's identity through one or more authentication factors: something the claimant knows, something the claimant possesses, or something the claimant is. Modern systems frequently combine two or more of these factors to raise the assurance level that the claimed identity is genuine. Authenticity, as a security property, is the assurance that a communication or credential is what it purports to be, and authentication is the mechanism by which that assurance is established.

Passwords and Credential-Based Authentication

Password-based authentication, in which a user presents a memorized secret to a verifier, remains the most widely deployed mechanism in consumer and enterprise systems. A password is verified by comparing it, or a cryptographic hash derived from it, against a stored reference value. The security of this approach depends on password complexity, storage protection, and transmission security. Storing passwords in plain text is a known vulnerability: attackers who gain database access can immediately reuse credentials. Properly implemented systems store salted cryptographic hashes using algorithms such as bcrypt or Argon2, which are designed to be computationally expensive and therefore resistant to brute-force attacks.

CAPTCHA mechanisms serve as a complementary credential check, distinguishing human users from automated scripts by presenting tasks that are easy for humans and difficult for machine-generated requests. This prevents credential-stuffing attacks in which large volumes of stolen username-password pairs are tested automatically against a login endpoint.

Multi-Factor Authentication

Multi-factor authentication (MFA) requires a claimant to present evidence from at least two distinct factor categories. A common configuration combines a memorized password with a time-based one-time password (TOTP) delivered through an authenticator application or a hardware token. FIDO2, a standard developed by the FIDO Alliance and standardized through the W3C Web Authentication API (WebAuthn), provides a phishing-resistant alternative in which a private cryptographic key stored on a physical device signs a server-generated challenge, eliminating the transmission of shared secrets entirely.

NIST Special Publication 800-63B defines three Authenticator Assurance Levels (AALs). AAL1 permits single-factor authentication with a broad range of authenticator types. AAL2 requires two distinct factors. AAL3 demands hardware-based cryptographic authentication with verifier impersonation resistance, typically implemented through security keys that bind to the specific origin they were registered against. Federal agencies and other high-assurance systems are required to meet AAL2 or AAL3 depending on the sensitivity of the resources being protected.

Biometric Authentication

Biometric authentication identifies individuals through measurable physical or behavioral characteristics, including fingerprint ridge patterns, iris textures, facial geometry, and voice characteristics. These factors fall into the "something the claimant is" category. Biometric sensors capture and digitize the characteristic, which is then compared against an enrolled template using a matching algorithm. Unlike passwords, biometric characteristics cannot be changed if compromised, making the security of the template storage system and the liveness detection mechanism critical design concerns.

Image processing and computer vision underpin many biometric systems: facial recognition pipelines use convolutional neural networks trained on large image datasets to extract and compare facial embeddings, while fingerprint matching relies on minutiae extraction algorithms. Blockchain-based identity systems have been explored as a means of giving individuals control over their authentication credentials without relying on a centralized credential store.

Applications

Authentication has applications in a range of fields, including:

  • Financial services and online banking, where regulatory requirements mandate strong customer authentication
  • Enterprise identity and access management systems using single sign-on and federated identity protocols
  • Internet of Things device provisioning, where device certificates authenticate hardware to cloud platforms
  • Blockchain networks, where cryptographic signatures authenticate transaction originators
  • Video surveillance and access control systems using biometric verification
Loading…