The goal of identity and access management is to ensure the right people have the right access to the right resources -- and that unauthorized users can't get in. Authentication -- the process of determining users are who they claim to be -- is one of the first steps in securing data, networks and applications. Show Learn about six authentication types and the authentication protocols available to determine which best fit your organization's needs. Why is user authentication important?Requiring users to provide and prove their identity adds a layer of security between adversaries and sensitive data. With authentication, IT teams can employ least privilege access to limit what employees can see. The average employee, for example, doesn't need access to company financials, and accounts payable doesn't need to touch developer projects. When selecting an authentication type, companies must consider UX along with security. Some user authentication types are less secure than others, but too much friction during authentication can lead to poor employee practices. 6 user authentication typesAuthentication methods include something users know, something users have and something users are. Not every authentication type is created equal to protect the network, however; these authentication methods range from offering basic protection to stronger security. Using more than one method -- multifactor authentication (MFA) -- is recommended. 1. Password-based authenticationAlso known as knowledge-based authentication, password-based authentication relies on a username and password or PIN. The most common authentication method, anyone who has logged in to a computer knows how to use a password. Password-based authentication is the easiest authentication type for adversaries to abuse. People often reuse passwords and create guessable passwords with dictionary words and publicly available personal info. Further, employees need a password for every application and device they use, making them difficult to remember and leading employees to simplify passwords wherever possible. This leaves accounts vulnerable to phishing and brute-force attacks. Companies should create password policies restricting password reuse. Password policies can also require users to change passwords regularly and require password complexity. 2. Two-factor/multifactor authenticationTwo-factor authentication (2FA) requires users provide at least one additional authentication factor beyond a password. MFA requires two or more factors. Additional factors can be any of the user authentication types in this article or a one-time password sent to the user via text or email. Factors can include out-of-band authentication, which involves the second factor being on a different channel from the original device to mitigate man-in-the-middle attacks. This authentication type strengthens the security of accounts because attackers need more than just credentials for access. The strength of 2FA relies on the secondary factor. Attackers can easily breach text and email. Using biometrics or push notifications, which require something the user is or has, offers stronger 2FA. Be careful when deploying 2FA or MFA, however, as it can add friction to UX. 3. Biometric authenticationBiometrics uses something the user is. It relies less on an easily stolen secret to verify users own an account. Biometric identifiers are unique, making it more difficult to hack accounts using them. Common types of biometrics include the following:
Users may be familiar with biometrics, making it easier to deploy in an enterprise setting. Many consumer devices feature biometric authentication capabilities, including Windows Hello and Apple's Face ID and Touch ID. A biometric authentication experience is often smoother and quicker because it doesn't require a user to recall a secret or password. It's also harder for attackers to spoof. Technology remains biometrics' biggest drawback. Not every device handles biometrics the same way, if at all. Older devices may only use a saved static image that could be fooled with a picture. Newer software, such as Windows Hello, may require a device to have a camera with near-infrared imaging. This may require heavier upfront costs than other authentication types. Users also must be comfortable sharing their biometric data with companies, which can still be hacked. 4. Single sign-onSingle sign-on (SSO) enables an employee to use a single set of credentials to access multiple applications or websites. The user has an account with an identity provider (IdP) that is a trusted source for the application (service provider). The service provider doesn't save the password. The IdP tells the site or application via cookies or tokens that the user verified through it. SSO reduces how many credentials a user needs to remember, strengthening security. UX is also improved as users don't have to log in to each account each time they access it, provided they recently authenticated to the IdP. SSO can also help reduce a help desk's time assisting with password issues. This authentication method does mean that, if an IdP suffers a data breach, attackers could gain access to multiple accounts with a single set of credentials. SSO also requires an initial heavy time investment for IT to set up and connect to its various applications and websites. 5. Token-based authenticationToken authentication enables users to log in to accounts using a physical device, such as a smartphone, security key or smart card. It can be used as part of MFA or to provide a passwordless experience. With token-based authentication, users verify credentials once for a predetermined time period to reduce constant logins. Tokens make it difficult for attackers to gain access to user accounts. Attackers would need physical access to the token and the user's credentials to infiltrate the account. Employees must be trusted to keep track of their tokens, or they may be locked out of accounts. Because users are locked out if they forget or lose the token, companies must plan for a reenrollment process. 6. Certificate-based authenticationCertificate authentication uses digital certificates issued by a certificate authority and public key cryptography to verify user identity. The certificate stores identification information and the public key, while the user has the private key stored virtually. Certificate-based authentication uses SSO. IT can deploy, manage and revoke certificates. This authentication type works well for companies that employ contractors who need network access temporarily. Certificate-based authentication can be costly and time-consuming to deploy. IT must also create a reenrollment process in the event users can't access their keys -- for example, if they are stolen or the device is broken. Authentication method protocolsThe authentication process involves securely sending communication data between a remote client and a server. Popular authentication protocols include the following:
There is a growing demand for different types of user authentication technologies for both online and in physical systems. The motivation to authenticate users ranges from access control reasons to business development purposes like adding e-commerce elements. Organizations need to understand that passwords are not the only way to authenticate users. There is a wide variety of authentication technologies and an even greater range of activities that require authentication methods. What Is Authentication?Authentication is the process of identifying users that request access to a system, network, or device. Access control often determines user identity according to credentials like username and password. Other authentication technologies like biometrics and authentication apps are also used to authenticate user identity. Why Is User Authentication Important?User authentication is a method that keeps unauthorized users from accessing sensitive information. For example, User A only has access to relevant information and cannot see the sensitive information of User B. Cybercriminals can gain access to a system and steal information when user authentication is not secure. The data breaches companies like Adobe, Equifax, and Yahoo faced are examples of what happens when organizations fail to secure their user authentication. Hackers gained access to Yahoo user accounts to steal contacts, calendars and private emails between 2012 and 2016. The Equifax data breach in 2017 exposed credit card data of more than 147 million consumers. Without a secure authentication process, any organization could be at risk. 5 Common Authentication TypesCybercriminals always improve their attacks. As a result, security teams are facing plenty of authentication-related challenges. This is why companies are starting to implement more sophisticated incident response strategies, including authentication as part of the process. The list below reviews some common authentication methods used to secure modern systems. 1. Password-based authentication Passwords are the most common methods of authentication. Passwords can be in the form of a string of letters, numbers, or special characters. To protect yourself you need to create strong passwords that include a combination of all possible options. However, passwords are prone to phishing attacks and bad hygiene that weakens effectiveness. An average person has about 25 different online accounts, but only 54% of users use different passwords across their accounts. The truth is that there are a lot of passwords to remember. As a result, many people choose convenience over security. Most people use simple passwords instead of creating reliable passwords because they are easier to remember. The bottom line is that passwords have a lot of weaknesses and are not sufficient in protecting online information. Hackers can easily guess user credentials by running through all possible combinations until they find a match. 2. Multi-factor authentication Multi-Factor Authentication (MFA) is an authentication method that requires two or more independent ways to identify a user. Examples include codes generated from the user’s smartphone, Captcha tests, fingerprints, voice biometrics or facial recognition. MFA authentication methods and technologies increase the confidence of users by adding multiple layers of security. MFA may be a good defense against most account hacks, but it has its own pitfalls. People may lose their phones or SIM cards and not be able to generate an authentication code. 3. Certificate-based authentication Certificate-based authentication technologies identify users, machines or devices by using digital certificates. A digital certificate is an electronic document based on the idea of a driver’s license or a passport. The certificate contains the digital identity of a user including a public key, and the digital signature of a certification authority. Digital certificates prove the ownership of a public key and issued only by a certification authority. Users provide their digital certificates when they sign in to a server. The server verifies the credibility of the digital signature and the certificate authority. The server then uses cryptography to confirm that the user has a correct private key associated with the certificate. 4. Biometric authentication Biometrics authentication is a security process that relies on the unique biological characteristics of an individual. Here are key advantages of using biometric authentication technologies:
Biometric authentication technologies are used by consumers, governments and private corporations including airports, military bases, and national borders. The technology is increasingly adopted due to the ability to achieve a high level of security without creating friction for the user. Common biometric authentication methods include:
|