Authentication: Methods, Protocols, and Strategies

What is Authentication?

Authentication is the process of determining if the person or entity accessing a computing system really is who they claim to be. Authentication systems make a binary decision. They allow or deny access based on credentials or other proof provided by those requesting access. Authentication typically works together with authorization systems, which determine what type or level of access a user should have. 

Any computing system can and should have authentication—hardware appliances, networks, servers, individual workstations, mobile devices, and internet of things (IoT) devices. In reality, many devices and computing systems have weak or ineffective authentication, or authentication is not properly configured by administrators, resulting in severe security risks. 

Authentication has critical importance in today’s complex, highly connected digital environment, for three reasons:

1. Convenience—as individuals access more applications and services on their own devices, on corporate networks, and in the cloud, they require convenient and efficient authentication methods. Password-based authentication is impractical for users, can be easily compromised by attackers, and is quickly becoming a thing of the past.

2. Third party integrations—the API economy and microservices architectures have led to an explosion in the number of software systems connecting to each other, within and in between organizations. Secure authentication mechanisms are necessary to enable easy development, prevent accidental data exposure, and protect against cyber attacks.

3. Credential theft and account takeover—a vast majority of cyber attacks use social engineering techniques to take over trusted accounts. Robust authentication, both for external and internal communications, is critical to prevent modern cyber threats. The Zero Trust security paradigm, adopted by the US government and security giants like Google, Microsoft, and AWS, has secure authentication at its core. 

This is part of an extensive series of guides about access management.

In this article:

Why is Authentication Important in Cybersecurity?

Authentication enables organizations to ensure that only authorized processes and users can access protected IT resources, such as computer systems, databases, networks, websites, and various web-based services and applications.

Once authenticated, a process or user encounters an authorization process determining whether the entity can access a specific protected resource. If the user is authenticated but is not allowed access to a certain resource, the mechanism does not allow access to the resource.

How Does Authentication Work?

In a traditional authentication process, the user types in their credentials, such as a username and a password. The authentication system queries a user directory, which is either stored in the local operating system or on an authentication server. If the credentials match, the user is allowed to access the system.  In the second stage, permissions assigned to users determine what objects or operations they are allowed to access, and other access rights, such as allowed access times and rate limits.

Traditional Authentication with Username and Password

The traditional authentication process created several challenges:

  • Traditionally, each IT system or application would handle its own authentication. This created a burden on application developers and meant that authentication systems were non-standard, in many cases not secure.
  • Applications are increasingly delivered over the web. Today most applications communicate via HTTP and HTTP/S. These are stateless protocols, meaning that in a traditional authentication model, users would have to login to a web application every time they accessed it.
  • Password-based authentication is very easily compromised by attackers, and is also inconvenient to users. 

New Authentication Methods

The following innovations help address these challenges:

  • Standardized authentication protocols such as OIDC and SAML make it possible for application developers to use a standardized, secure authentication mechanism, without having to develop one themselves.
  • Token-based authentication enables users to verify their identity once via an authentication service. The service then issues a signed authentication token to the application, allowing them to sign in without providing credentials again, until the token expires. 
  • Multi-factor authentication supplements password-based authentication with additional, stronger authentication methods, such as biometric authentication, physical tokens, and one-time passwords sent to mobile devices. 

What are Authentication Factors?

An authentication factor is a certain proof that verifies a user’s identity. Here are the three categories of authentication factors:

Knowledge Factor

A knowledge factor is a category of credentials that users are expected to know. Common knowledge factors include usernames, passwords, personal identification numbers (PINs), and answers to security questions. 

Once a user logs in to an application, the security system asks them to provide their credentials – typically a username and a corresponding password. However, since passwords consist of a sequence of numbers, special characters, and letters, threat actors can easily crack, guess, or steal them. You can mitigate this by adding multifactor authentication (MFA).

Possession Factor

This factor requires users to provide evidence of possessing physical items, such as SIM cards, smart cards, mobile phones, FIDO2 security keys, and hardware OTP tokens. By checking whether the user has a certain piece of hardware, organizations can make it much more difficult to breach. 

A threat actor can bypass this by conducting a swapping attack and gaining remote access to or stealing a certain piece of hardware. However, bypassing possession factors is much more difficult than launching a brute force attack.

Inherence Factor

Inherence is considered the strongest authentication factor because it asks users to confirm their identity by presenting evidence inherent to unique features. Common inherence factor examples include biometrics like fingerprint scans, retina pattern scans, and facial recognition. 

Authentication vs. Authorization: What’s the Difference?

Authentication is the gatekeeper that decides who gains access to an organization’s resources, including critical systems like databases, networks, business apps, and web applications. Once users are authenticated, they undergo authorization to determine which resources or specific functions they can access, based on the system’s role or permission structure. 

The difference between authentication and authorization can be summarized as follows:

  • Authentication is responsible for verifying the identity of a user, process, or device
  • Authorization is responsible for identifying if an authenticated entity has permission to access certain resources, or perform certain operations

Access control refers to the complete process of granting access to users, including both authentication and authorization.

Related: Authentication vs Authorization

Types of Authentication

Here are the primary types of authentication used to authenticate users and service connections.

  • Token authentication – a commonly-used authentication protocol that allows users to authenticate themselves once and receive a token verifying their identity. As long as the token is valid, the user can access the website or application without signing in again. 

Related: Token Based Authentication

  • Password authentication – this requires users to memorize their credentials—typically a username and password in the form of letters, numbers, or special characters. The combination of username and password verifies the user’s identity. The more complex the password and the more frequently it is renewed, the more secure the account.
  • Biometric authentication – identifies individuals based on their unique biological characteristics. It stores data about an individual—for example, their fingerprint or the shape of their iris—and then compares a real-time reading with this stored data. Biometric authentication is convenient for users and is inherently secure. 
  • Certificate-based authentication – uses a digital certificate to identify a user before accessing a resource. Digital certificates are impossible to forge without possessing the private key. It can be used to authenticate a user, device, or service account. Most certificate-based authentication solutions come with a cloud-based management system.
  • Multi-factor authentication (MFA) – a combination of two or more authentication factors. These can include any of the above types. Combining several factors significantly improves security and makes it much more difficult for attackers to compromise accounts.
  • Passwordless authentication – allows a user to access an app or IT system without entering a password or answering security questions. Instead, users provide other forms of proof such as fingerprints, proximity badges, or codes generated by hardware tokens. This authentication is often combined with MFA and single sign-on (SSO).

Related: Passwordless Authentication

Single Sign On (SSO)

SSO allows users to securely verify their identity in multiple user accounts using one set of credentials. For example, a user can log in via Google, Apple, Facebook, or another provider, and grant permission to use their credentials to log into a third party application. SSO is based on certificates or tokens exchanged between service providers and identity providers.

The identity provider uses a token to send identity information to the service provider, verifying that it has successfully authenticated the user. The service provider then grants access to the user. 

Authentication Protocols

An authentication protocol is a set of rules that allow a system to verify the identity of an endpoint (laptop, desktop, phone, server, etc.) or a user. Here are a few common authentication protocols.

Password Authentication Protocol (PAP)

PAP is the least secure protocol for authenticating users, primarily because it is not encrypted. This is a login process that requires a username/password combination to access the specified system, and verifies the provided credentials against a user directory.

Challenge Handshake Authentication Protocol (CHAP)

CHAP is an authentication protocol that uses a three-way exchange to authenticate users, verifying their identity with strong encryption. This works as follows:

1. The local device sends a “challenge” to the remote host

2. The remote host sends a response using a cryptographic hash function

3. The local device checks if the hash value of the response matches the expected response, and if so, establishes an authenticated connection (“handshake”). Otherwise, it closes the connection. 

CHAP is more secure than PAP, because PAP only performs authentication when the user is first authenticated, while CHAP verified authentication on an ongoing basis.

OpenID Connect (OIDC)

OIDC leverages the authentication and authorization mechanisms of OAuth 2.0, commonly applied by numerous identity providers. It was created by the OpenID Foundation (OIDF), a non-profit dedicated to OpenID technology. 

Here is the key difference between OIDC and OAuth 2.0:

  • OAuth 2.0 is an authorization protocol
  • OIDC is an identity authentication protocol

OIDC helps a client service verify the identity of end-users. It can also share (on request) user claims such as name and email address.

OIDC works with various clients, including single-page applications (SPA) and mobile applications. Here are key benefits of OIDC:

  • You can use OIDC for single sign-on (SSO) across several applications.
  • OIDC uses JSON Web Tokens (JWT), and HTTP flows to avoid sharing end-user credentials with client services.
  • The protocol comes with built-in consent, requiring explicit consent from users before sharing their data.
  • OIDC is simple to implement and is ideal for use in mobile applications.

Related: OIDC Authentication

Lightweight Directory Access Protocol (LDAP)

LDAP is a software protocol that enables users or applications to locate data about organizations, individuals and other resources, such as files and devices in a network. It can be used for resources on the public Internet or a corporate Intranet. The LDAP directory tells the user where in the network something is located. For example, it is possible to search for a specific user or a service available on the network. LDAP returns the hostname, and then the user can use DNS to obtain the IP and connect to it.

Security Assertion Markup Language (SAML)

SAML is an open standard that allows application developers to implement single sign on (SSO) and federated identity. It provides a standardized and secure protocol, based on XML, that allows applications to transfer authentication and authorization data between them. SAML can be used to implement SSO among multiple applications, which can be deployed within an enterprise network, operated by third-party vendors, or running within customer networks. All these applications can request and receive a user’s identity, authentication, and authorization levels. 

Related: OIDC vs SAML

Extensible Authentication Protocol (EAP)

The protocol supports different types of authentication, from one-time passwords to smart cards. When used for wireless communications, EAP is highly secure because it allows remote devices to perform mutual authentication using built-in encryption. In the EASP protocol, all transmissions are encrypted—this is achieved by connecting the user to an access point, requesting credentials, verifying their identity through an authentication server, and then requesting a user ID through the server to verify again.

JSON Web Token (JWT)

JWT is an encoded version of a “claim”, a secure transfer of information between two parties. A claim can be used to:

  • Assert that a specific party issued the token and it is authentic
  • Determine how long the token is valid
  • Provide information about permissions granted to the user
  • Provide general information about the user which can be used by the application

JWTs use a digital certificate to prove who issued the claim. Technically, a JSON Web Token includes three parts: a header, specifying the algorithm used in the certificate, a payload, which contains the information included in the claim, and the digital signature.

Related: JWT Authentication

API Authentication Methods

Application Programming Interfaces (APIs) are increasingly used to extend application functionality, enable integration between software components, and access remote data services. API authentication does not involve a human user. Instead, it verifies that a service account making programmatic calls is allowed to access the system. 

Basic HTTP Authentication

With this method, the user agent provides a username and password to prove its identity. This method utilizes the HTTP headers themselves and requires no cookies, session IDs or login pages. It is easy to use, but is vulnerable to attacks that can intercept user credentials in transit.

API Keys

An API key is an identifier that indicates who is making a web service request (or other API request). A key is generated when new users register for the API. The API key is associated with a security token, which the user agent sends with every future request. When a user agent attempts to re-enter the system, it provides a unique key to prove that it is the same user as before. 

Although this API authentication method is very fast and reliable, it is often misused. More importantly, you should realize that API keys are not an authorization method, and without setting up authorization, all users will have access to all API functionality.

OAuth 2.0

Open Authorization is an open standard authorization protocol based on tokenization. It is commonly used across the Internet to enable third-party services like Google and Twitter to share end-user account information without exposing user credentials to the third party.  OAuth serves as an intermediary acting on behalf of end-users. It provides third-party services with an access token authorizing the sharing of specific account information, eliminating the need to share passwords. This process of obtaining an access token is called “authorization flow”.

OAuth 2.0 offers the same benefits, but it is a new protocol that does not offer compatibility with OAuth 1.0. Notable OAuth 2.0 improvements include:

  • Simplified signatures 
  • A new authorization code flow that accommodates mobile applications 
  • Short-lived tokens that support long-lived authorizations

Related: OAuth Grant Types

Authentication Strategies in a Microservices Architecture

Most development teams are transitioning from a monolithic application architecture to a microservices architecture. A microservices application is decomposed into multiple, independent components, each of which does one thing well. These microservices communicate with each other using APIs, and are easy to maintain and update. In a microservices architecture, there are several important concerns with regard to authentication:

  • Do clients communicate with microservices directly?
  • Who is responsible for authenticating requests?
  • How to share data, such as user directories, across microservices?

Here are three possible approaches and their pros and cons.

1. Authentication Performed Separately By Each Microservice

One approach is to have each microservice implement authentication separately. This is quite problematic, because it requires duplication of the authentication code on each microservice. It also requires duplicating user authentication data between all microservices, or forcing specific clients to connect to specific microservices, which creates strong coupling. 

A better way to implement this approach is to have a central authentication database, such as a user directory, which all microservices can query. This reduces duplication and coupling, but still requires each microservice to implement authentication.

2. Backend Authentication Service

In this approach, the application includes a dedicated microservice that performs authentication. This microservice is deployed behind the scenes, and when a microservice receives an authentication request, it forwards it to the authentication microservice to verify the user’s identity.

One downside of this approach is that it slows down processing requests, because each request needs to travel to the authentication service and back. Another downside is that authorization is determined by business logic. There may be separate authentication policies for each microservice, and these need to be stored in the authentication service, again creating strong coupling.

3. API Gateway

The most mature and effective approach is to use an API gateway—this is a service deployed in front of the microservices application, which serves as a single endpoint for all user requests. Users send requests to the API gateway without being aware of the underlying microservices. The API gateway handles authentication, and forwards the request to the relevant microservice. 

This addresses most of the issues in the first two approaches. It eliminates coupling, and reduces the latency of authentication requests. To solve the problem of authorization business logic, the API gateway can forward a request together with details about the user and their security context, and each microservice can use this information to form its own authorization decision.

Related: Authentication in Microservices

Authentication for SaaS with Frontegg

Frontegg’s solution acts as a flexible authentication-as-a-service for all kinds of SaaS use-cases and requirements. For starters, it offers powerful user-based authentication, including powerful protocols such as OAuth, Open ID connect, SAML, and WebAuth. You can also enjoy granular security policies such as MFA, user lockouts, device verification and much more. 

Start for free

See Additional Guides on Key Access Management Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of access management.