What is authentication?

Consider a common authentication scenario: supplying a user ID and password to log in to an email account. When the user enters their user ID (which is likely their email address in this situation) they’re telling the email system, “This is who I am.”

But that isn’t enough to verify the end user’s identity. Anyone can enter whatever user ID they want, especially when a user’s ID is something public like an email address. To prove that they truly are the person who owns that email address, the user enters their password, a secret piece of knowledge that (theoretically) no one else should have. The email system then identifies this user is the real account holder and lets them in.

Authentication processes can also confirm the identities of nonhuman users such as servers, web applications and other machines and workloads.

Authentication is a fundamental component of information security strategy. It is particularly important to identity and access management (IAM), the cybersecurity discipline that deals with how users access digital resources. Authentication enables organizations to limit network access to legitimate users, and it is the first step in enforcing individual user permissions.

Today, user identities are prime targets for threat actors. According to the IBM® X-Force® Threat Intelligence Index, hijacking valid user accounts is one of the most common ways that attackers break into networks, accounting for 30% of cyberattacks. Hackers steal credentials and then pose as legitimate users, allowing them to sneak past network defenses to plant malware and steal data.

To combat these identity-based attacks, many organizations are moving away from purely password-based authentication methods. Instead, they’re adopting multifactor authentication, adaptive authentication and other strong authentication systems where user credentials are harder to steal or fake.

Authentication and authorization are related but distinct processes. Authentication verifies a user’s identity, while authorization grants that verified user the appropriate level of access to a resource.

One can think of authentication and authorization as answering two complementary questions:

• Authentication: Who are you?
  
  
• Authorization: What are you allowed to do in this system?

Authentication is typically a prerequisite for authorization. For example, when a network administrator logs in to a secure system, they must prove they are an admin by supplying the right authentication factors. Only then will the IAM system authorize the user to perform administrative actions such as adding and removing other users.

At a high level, authentication is based on the exchange of user credentials, also called authentication factors. A user gives their credentials to the authentication system. If they match what the system has on file, the system authenticates the user.

To dig a bit deeper, one can break the authentication process into a series of steps:

1. First, a new user must create an account within an authentication system. As part of creating this account, the user registers a set of authentication factors, which can range from simple passwords to physical security tokens and fingerprint scans. (For more information, see “Authentication factors.”)
   
   These factors should be things that only the user has or knows. That way, the authentication system can be reasonably sure that if someone can supply these factors, they must be the user.
   
   
2. The authentication system stores the user’s credentials in a directory or database, where they are associated with the user’s ID and other important attributes.
   
   For security purposes, authentication systems don’t usually store credentials as plain text. Instead, they store hashed or encrypted versions, which would be less useful to any hackers who stole them.
   
   
3. When the user wants to log in to the system, they provide their user ID and their registered authentication factors. The authentication system checks the directory entry for this user ID to see whether their credentials match the credentials saved in the directory. If they do, the authentication system verifies the user’s identity.
   
   What the verified user can do next depends on the separate, but related, authorization process.

While this example assumes a human user, authentication is generally the same for nonhuman users. For example, when a developer connects an app to an application programming interface (API) for the first time, the API might generate an API key. The key is a secret value that only the API and the app know. From then on, whenever the app makes a call to that API, it must show its key to prove the call is genuine.

There are four types of authentication factors that users can use to prove their identities:

Traditionally, each individual app, website or other resource would have its own IAM system to handle user authentication. With the rise of digital transformation and the proliferation of corporate and consumer apps, this fragmented system has become cumbersome and inconvenient.

Organizations struggle to track users and enforce consistent access policies throughout the network. Users adopt poor security habits, such as using simple passwords or reusing credentials across systems.

In response, many organizations are implementing more unified approaches to identity where a single system can authenticate users for a various apps and assets.

• Single sign-on (SSO) is an authentication scheme where users can log in once using a single set of credentials and access multiple applications inside a specific domain.

• Federated identity architecture is a broader authentication arrangement in which one system can authenticate users for another. Social logins—such as using a Google account to log in to a different website—are a common form of federated identity.

• Identity orchestration removes identity and authentication from individual systems, treating identity as a network layer in its own right. Identity orchestration solutions introduce an integration layer, called the identity fabric, that allows organizations to create custom authentication systems that can integrate any apps and assets.

Different authentication systems use different authentication schemes. Some of the most common types include:

• Single-factor authentication
• Multifactor authentication and two-factor authentication
• Adaptive authentication
• Passwordless authentication

In a single-factor authentication (SFA) process, users need to supply only one authentication factor to prove their identities. Most commonly, SFA systems rely on username and password combinations.

SFA is considered the least secure type of authentication because it means that hackers need to steal only one credential to take over a user’s account. The US Cybersecurity and Infrastructure Agency (CISA) officially discourages SFA as a “bad practice.”

Multifactor authentication (MFA) methods require at least two factors of at least two different types. MFA is considered stronger than SFA because hackers must steal multiple credentials to take over user accounts. MFA systems also tend to use credentials that are much harder to steal than passwords.

Two-factor authentication (2FA) is a type of MFA that uses exactly two authentication factors. It is probably the most common form of MFA in use today. For example, when a website requires users to enter both a password and a code that is texted to their phone, that is a 2FA scheme in action.

Sometimes called risk-based authentication, adaptive authentication systems use artificial intelligence (AI) and machine learning (ML) to analyze user behavior and calculate risk level. Adaptive authentication systems dynamically change authentication requirements based on how risky a user’s behavior is at the moment.

For example, if someone logs in to an account from their usual device and location, they might need to enter only their password. If that same user logs in from a new device or tries to access sensitive data, the adaptive authentication system might ask for more factors before allowing them to proceed.

Passwordless authentication is an authentication system that doesn’t use passwords or other knowledge factors. For example, the Fast Identity Online 2 (FIDO2) authentication standard replaces passwords with passkeys based on public key cryptography.

Under FIDO2, a user registers their device to act as an authenticator with an app, website or other service. During registration, a public-private key pair is created. The public key is shared with the service and the private key is kept on the user’s device.

When the user wants to log in to the service, the service sends a challenge to their device. The user responds by entering a PIN code, scanning their fingerprint or performing some other action. This action enables the device to use the private key to sign the challenge and prove the user’s identity.

Organizations are increasingly adopting passwordless authentication to defend against credential thieves, who tend to focus on knowledge factors because of how comparatively easy they are to steal.

• Security assertion markup language (SAML) is an open standard that allows apps and services to share user authentication information through XML messages. Many SSO systems use SAML assertions to authenticate users to integrated apps.
  
  
• OAuth and OpenID Connect (OIDC): OAuth is a token-based authorization protocol that allows users to grant one app access to data in another app without sharing credentials between those apps. For example, when a user lets a social media site import their email contacts, this process often uses OAuth.
  
  OAuth is not an authentication protocol, but it can be combined with OpenID Connect (OIDC), an identity layer built on top of the OAuth protocol. ODIC adds ID tokens alongside OAuth’s authorization tokens. These ID tokens can authenticate a user and contain information about their attributes.
  
  
• Kerberos is a ticket-based authentication scheme commonly used in Microsoft Active Directory domains. Users and services authenticate to a central key distribution center, which grants them tickets that allow them to authenticate to one another and access other resources in the same domain.

As cybersecurity controls grow more effective, threat actors are learning to go around them instead of tackling them head-on. Strong authentication processes can help stop identity-based cyberattacks in which hackers steal user accounts and abuse their valid privileges to sneak past network defenses and wreak havoc.

Identity-based attacks are one of the two most common initial attack vectors according to the X-Force Threat Intelligence Index, and threat actors have many tactics for stealing credentials. User passwords, even strong passwords, are easy to crack through brute-force attacks where hackers use bots and scripts to systematically test possible passwords until one works.

Threat actors can use social engineering tactics to trick targets into giving up their passwords. They can try more direct methods, such as man-in-the-middle attacks or planting spyware on victims’ devices. Attackers can even buy credentials on the dark web, where other hackers sell account data that they stole during previous breaches.

Yet many organizations still use ineffective authentication systems. According to the X-Force Threat Intelligence Index, identification and authentication failures are the second most commonly observed web application security risks.

Strong authentication processes can help protect user accounts—and the systems that they can access—by making it hard for hackers to steal credentials and pose as legitimate users.

For example, multifactor authentication (MFA) makes it so that hackers must steal multiple authentication factors, including physical devices or even biometric data, to impersonate users. Similarly, adaptive authentication schemes can detect when users are engaging in risky behavior and pose additional authentication challenges before allowing them to proceed. This can help block attackers’ attempts to abuse stolen accounts.

By strengthening cybersecurity, authentication can help drive additional benefits, too. For example, an IBM Institute for Business Value study found that 66% of operations executives see cybersecurity as a revenue enabler.

Authentication systems can also serve specific use cases beyond securing individual user accounts, including:

• Access control: To enforce granular access policies and monitor what users do in their networks, organizations need some way of determining who is who within their systems. Authentication enables organizations to restrict network access to legitimate users only, ensure that each user has the right privileges and attribute activity to specific users.
  
  
• Regulatory compliance: Many data security and privacy regulations require strict access control policies and comprehensive user activity tracking. Some regulations, such as the Payment Card Industry Data Security Standard (PCI DSS), specifically mandate the use of MFA systems.¹
  
  
• AI security: As threat actors use AI tools to carry out sophisticated cyberattacks, strong authentication measures can help thwart even advanced threats. For example, scammers can use generative AI to craft convincing phishing messages and steal more passwords, but adaptive authentication systems can help catch these scammers when they try to misuse account privileges.