Authentication: Methods, Protocols, and Strategies


Authentication is the process of determining if the person or entity accessing a computing system really is who they claim to be. Authentication systems make a binary decision. They allow or deny access based on credentials or other proof provided by those requesting access. Authentication typically works together with authorization systems, which determine what type or level of access a user should have. 

Any computing system can and should have authentication—hardware appliances, networks, servers, individual workstations, mobile devices, and internet of things (IoT) devices. In reality, many devices and computing systems have weak or ineffective authentication, or authentication is not properly configured by administrators, resulting in severe security risks. 

Authentication has critical importance in today’s complex, highly connected digital environment, for three reasons:

  1. Convenience—as individuals access more applications and services on their own devices, on corporate networks, and in the cloud, they require convenient and efficient authentication methods. Password-based authentication is impractical for users, can be easily compromised by attackers, and is quickly becoming a thing of the past.
  2. Third party integrations—the API economy and microservices architectures have led to an explosion in the number of software systems connecting to each other, within and in between organizations. Secure authentication mechanisms are necessary to enable easy development, prevent accidental data exposure, and protect against cyber attacks.
  3. Credential theft and account takeover—a vast majority of cyber attacks use social engineering techniques to take over trusted accounts. Robust authentication, both for external and internal communications, is critical to prevent modern cyber threats. The Zero Trust security paradigm, adopted by the US government and security giants like Google, Microsoft, and AWS, has secure authentication at its core. 

Related: Authentication Security

Authentication vs. Authorization: What’s the Difference?

Authentication is the gatekeeper that decides who gains access to an organization’s resources, including critical systems like databases, networks, business apps, and web applications. Once users are authenticated, they undergo authorization to determine which resources or specific functions they can access, based on the system’s role or permission structure. 

The difference between authentication and authorization can be summarized as follows:

  • Authentication is responsible for verifying the identity of a user, process, or device
  • Authorization is responsible for identifying if an authenticated entity has permission to access certain resources, or perform certain operations

Access control refers to the complete process of granting access to users, including both authentication and authorization.

Related: Authentication vs Authorization

How Does Authentication Work?

In a traditional authentication process, the user types in their credentials, such as a username and a password. The authentication system queries a user directory, which is either stored in the local operating system or on an authentication server. If the credentials match, the user is allowed to access the system.  In the second stage, permissions assigned to users determine what objects or operations they are allowed to access, and other access rights, such as allowed access times and rate limits.

The traditional authentication process created several challenges:

  • Traditionally, each IT system or application would handle its own authentication. This created a burden on application developers and meant that authentication systems were non-standard, in many cases not secure.
  • Applications are increasingly delivered over the web. Today most applications communicate via HTTP and HTTP/S. These are stateless protocols, meaning that in a traditional authentication model, users would have to login to a web application every time they accessed it.
  • Password-based authentication is very easily compromised by attackers, and is also inconvenient to users. 

The following innovations help address these challenges:

  • Standardized authentication protocols such as OIDC and SAML make it possible for application developers to use a standardized, secure authentication mechanism, without having to develop one themselves.
  • Token-based authentication enables users to verify their identity once via an authentication service. The service then issues a signed authentication token to the application, allowing them to sign in without providing credentials again, until the token expires. 
Modern Token Authentication
  • Multi-factor authentication supplements password-based authentication with additional, stronger authentication methods, such as biometric authentication, physical tokens, and one-time passwords sent to mobile devices. 
Multi Factor Authentication

Types of Authentication Methods

Here are the primary types of authentication used to authenticate users and service connections.

Token Authentication

This is a commonly-used authentication protocol that allows users to authenticate themselves once and receive a token verifying their identity. As long as the token is valid, the user can access the website or application without signing in again. Token authentication simplifies the process for users who need to access the same application, web page, or resource multiple times.

Related: Token Based Authentication

Password Authentication

This  requires users to memorize their credentials—typically a username and password in the form of letters, numbers, or special characters. The combination of username and password verifies the user’s identity.  In a password-based authentication system, the more complex the password, the most frequently it is renewed, and the more users protect their passwords and avoid reusing them or sharing them with others, the more secure the account.

Biometric Authentication

Biometric technologies identify individuals based on their unique biological characteristics. It stores data about an individual—for example, their fingerprint or the shape of their iris—and then compares a real-time reading with this stored data. Biometric authentication is convenient for users and is inherently secure because it is based on something the user has, rather than something they know or own. 

Certificate-based Authentication

This form of authentication uses a digital certificate to identify a user before accessing a resource. Digital certificates leverage public key cryptography, and are impossible to forge without possessing the private key. It can be used to authenticate a user, device, or service account. Most certificate-based authentication solutions come with a cloud-based management system, allowing administrators to manage, monitor, and issue new certificates to users.

Multi-Factor Authentication (MFA)

MFA is a combination of two or more authentication methods, known as factors. These can include any of the above types—token, password, biometric, or certificate-based authentication. Combining several factors significantly improves security and makes it much more difficult for attackers to compromise accounts. MFA is a key component of a strong identity and access management (IAM) strategy, and plays a central role in the zero trust security model. 

Passwordless Authentication

Passwordless authentication allows a user to access an app or IT system without entering a password or answering security questions. Instead, users provide other forms of proof such as fingerprints, proximity badges, or codes generated by hardware tokens. This authentication is often combined with MFA and single sign-on (SSO). It provides a positive user experience and reduces IT management overhead, while improving security.

Related: Passwordless Authentication

Single Sign On (SSO)

SSO allows users to securely verify their identity in multiple user accounts using one set of credentials. For example, a user can log in via Google, Apple, Facebook, or another provider, and grant permission to use their credentials to log into a third party application. SSO is based on certificates or tokens exchanged between service providers and identity providers.

The identity provider uses a token to send identity information to the service provider, verifying that it has successfully authenticated the user. The service provider then grants access to the user. 

Authentication Protocols

An authentication protocol is a set of rules that allow a system to verify the identity of an endpoint (laptop, desktop, phone, server, etc.) or a user. Here are a few common authentication protocols.

Password Authentication Protocol (PAP)

PAP is the least secure protocol for authenticating users, primarily because it is not encrypted. This is a login process that requires a username/password combination to access the specified system, and verifies the provided credentials against a user directory.

Challenge Handshake Authentication Protocol (CHAP)

CHAP is an authentication protocol that uses a three-way exchange to authenticate users, verifying their identity with strong encryption. This works as follows:

  1. The local device sends a “challenge” to the remote host
  2. The remote host sends a response using a cryptographic hash function
  3. The local device checks if the hash value of the response matches the expected response, and if so, establishes an authenticated connection (“handshake”). Otherwise, it closes the connection. 

CHAP is more secure than PAP, because PAP only performs authentication when the user is first authenticated, while CHAP verified authenticaiton on a ongoing basis.

OpenID Connect (OIDC)

OIDC leverages the authentication and authorization mechanisms of OAuth 2.0, commonly applied by numerous identity providers. It was created by the OpenID Foundation (OIDF), a non-profit dedicated to OpenID technology. 

Here is the key difference between OIDC and OAuth 2.0:

  • OAuth 2.0 is an authorization protocol
  • OIDC is an identity authentication protocol

OIDC helps a client service verify the identity of end-users. It can also share (on request) user claims such as name and email address.

OIDC works with various clients, including single-page applications (SPA) and mobile applications. Here are key benefits of OIDC:

  • You can use OIDC for single sign-on (SSO) across several applications.
  • OIDC uses JSON Web Tokens (JWT), and HTTP flows to avoid sharing end-user credentials with client services.
  • The protocol comes with built-in consent, requiring explicit consent from users before sharing their data.
  • OIDC is simple to implement and is ideal for use in mobile applications.

Related: OIDC Authentication

Lightweight Directory Access Protocol (LDAP)

LDAP is a software protocol that enables users or applications to locate data about organizations, individuals and other resources, such as files and devices in a network. It can be used for resources on the public Internet or a corporate Intranet. The LDAP directory tells the user where in the network something is located. For example, it is possible to search for a specific user or a service available on the network. LDAP returns the hostname, and then the user can use DNS to obtain the IP and connect to it.

Security Assertion Markup Language (SAML)

SAML is an open standard that allows application developers to implement single sign on (SSO) and federated identity. It provides a standardized and secure protocol, based on XML, that allows applications to transfer authentication and authorization data between them. SAML can be used to implement SSO among multiple applications, which can be deployed within an enterprise network, operated by third-party vendors, or running within customer networks. All these applications can request and receive a user’s identity, authentication, and authorization levels. 

Related: OIDC vs SAML

Extensible Authentication Protocol (EAP)

The protocol supports different types of authentication, from one-time passwords to smart cards. When used for wireless communications, EAP is highly secure because it allows remote devices to perform mutual authentication using built-in encryption. In the EASP protocol, all transmissions are encrypted—this is achieved by connecting the user to an access point, requesting credentials, verifying their identity through an authentication server, and then requesting a user ID through the server to verify again.

JSON Web Token (JWT)

JWT is an encoded version of a “claim”, a secure transfer of information between two parties. A claim can be used to:

  • Assert that a specific party issued the token and it is authentic
  • Determine how long the token is valid
  • Provide information about permissions granted to the user
  • Provide general information about the user which can be used by the application

JWTs use a digital certificate to prove who issued the claim. Technically, a JSON Web Token includes three parts: a header, specifying the algorithm used in the certificate, a payload, which contains the information included in the claim, and the digital signature.

Related: JWT Authentication

API Authentication Methods

Application Programming Interfaces (APIs) are increasingly used to extend application functionality, enable integration between software components, and access remote data services. API authentication does not involve a human user. Instead, it verifies that a service account making programmatic calls is allowed to access the system. 

Basic HTTP Authentication

With this method, the user agent provides a username and password to prove its identity. This method utilizes the HTTP headers themselves and requires no cookies, session IDs or login pages. It is easy to use, but is vulnerable to attacks that can intercept user credentials in transit.

API Keys

An API key is an identifier that indicates who is making a web service request (or other API request). A key is generated when new users register for the API. The API key is associated with a security token, which the user agent sends with every future request. When a user agent attempts to re-enter the system, it provides a unique key to prove that it is the same user as before. 

Although this API authentication method is very fast and reliable, it is often misused. More importantly, you should realize that API keys are not an authorization method, and without setting up authorization, all users will have access to all API functionality.

OAuth 2.0

Open Authorization is an open standard authorization protocol based on tokenization. It is commonly used across the Internet to enable third-party services like Google and Twitter to share end-user account information without exposing user credentials to the third party.  OAuth serves as an intermediary acting on behalf of end-users. It provides third-party services with an access token authorizing the sharing of specific account information, eliminating the need to share passwords. This process of obtaining an access token is called “authorization flow”.

OAuth 2.0 offers the same benefits, but it is a new protocol that does not offer compatibility with OAuth 1.0. Notable OAuth 2.0 improvements include:

  • Simplified signatures 
  • A new authorization code flow that accommodates mobile applications 
  • Short-lived tokens that support long-lived authorizations

Related: OAuth Grant Types

Authentication Strategies in a Microservices Architecture

Most development teams are transitioning from a monolithic application architecture to a microservices architecture. A microservices application is decomposed into multiple, independent components, each of which does one thing well. These microservices communicate with each other using APIs, and are easy to maintain and update. In a microservices architecture, there are several important concerns with regard to authentication:

  • Do clients communicate with microservices directly?
  • Who is responsible for authenticating requests?
  • How to share data, such as user directories, across microservices?

Here are three possible approaches and their pros and cons.

1. Authentication Performed Separately By Each Microservice

One approach is to have each microservice implement authentication separately. This is quite problematic, because it requires duplication of the authentication code on each microservice. It also requires duplicating user authentication data between all microservices, or forcing specific clients to connect to specific microservices, which creates strong coupling. 

A better way to implement this approach is to have a central authentication database, such as a user directory, which all microservices can query. This reduces duplication and coupling, but still requires each microservice to implement authentication.

2. Backend Authentication Service

In this approach, the application includes a dedicated microservice that performs authentication. This microservice is deployed behind the scenes, and when a microservice receives an authentication request, it forwards it to the authentication microservice to verify the user’s identity.

One downside of this approach is that it slows down processing requests, because each request needs to travel to the authentication service and back. Another downside is that authorization is determined by business logic. There may be separate authentication policies for each microservice, and these need to be stored in the authentication service, again creating strong coupling.

3. API Gateway

The most mature and effective approach is to use an API gateway—this is a service deployed in front of the microservices application, which serves as a single endpoint for all user requests. Users send requests to the API gateway without being aware of the underlying microservices. The API gateway handles authentication, and forwards the request to the relevant microservice. 

This addresses most of the issues in the first two approaches. It eliminates coupling, and reduces the latency of authentication requests. To solve the problem of authorization business logic, the API gateway can forward a request together with details about the user and their security context, and each microservice can use this information to form its own authorization decision.

Related: Authentication in Microservices

Authentication for SaaS with Frontegg

Frontegg’s solution acts as a flexible authentication-as-a-service for all kinds of SaaS use-cases and requirements. For starters, it offers powerful user-based authentication, including powerful protocols such as OAuth, Open ID connect, SAML, and WebAuth. You can also enjoy granular security policies such as MFA, user lockouts, device verification and much more.  

Notify of
Inline Feedbacks
View all comments
image description image description

Open a free account.