There are four different password-based methods of authentication, which one is preferred?

The goal of identity and access management is to ensure the right people have the right access to the right resources -- and that unauthorized users can't get in. Authentication -- the process of determining users are who they claim to be -- is one of the first steps in securing data, networks and applications.

Learn about six authentication types and the authentication protocols available to determine which best fit your organization's needs.

Why is user authentication important?

Requiring users to provide and prove their identity adds a layer of security between adversaries and sensitive data. With authentication, IT teams can employ least privilege access to limit what employees can see. The average employee, for example, doesn't need access to company financials, and accounts payable doesn't need to touch developer projects.

When selecting an authentication type, companies must consider UX along with security. Some user authentication types are less secure than others, but too much friction during authentication can lead to poor employee practices.

6 user authentication types

Authentication methods include something users know, something users have and something users are. Not every authentication type is created equal to protect the network, however; these authentication methods range from offering basic protection to stronger security. Using more than one method -- multifactor authentication (MFA) -- is recommended.

1. Password-based authentication

Also known as knowledge-based authentication, password-based authentication relies on a username and password or PIN. The most common authentication method, anyone who has logged in to a computer knows how to use a password.

Password-based authentication is the easiest authentication type for adversaries to abuse. People often reuse passwords and create guessable passwords with dictionary words and publicly available personal info. Further, employees need a password for every application and device they use, making them difficult to remember and leading employees to simplify passwords wherever possible. This leaves accounts vulnerable to phishing and brute-force attacks.

Companies should create password policies restricting password reuse. Password policies can also require users to change passwords regularly and require password complexity.

2. Two-factor/multifactor authentication

Two-factor authentication (2FA) requires users provide at least one additional authentication factor beyond a password. MFA requires two or more factors. Additional factors can be any of the user authentication types in this article or a one-time password sent to the user via text or email. Factors can include out-of-band authentication, which involves the second factor being on a different channel from the original device to mitigate man-in-the-middle attacks. This authentication type strengthens the security of accounts because attackers need more than just credentials for access.

The strength of 2FA relies on the secondary factor. Attackers can easily breach text and email. Using biometrics or push notifications, which require something the user is or has, offers stronger 2FA. Be careful when deploying 2FA or MFA, however, as it can add friction to UX.

3. Biometric authentication

Biometrics uses something the user is. It relies less on an easily stolen secret to verify users own an account. Biometric identifiers are unique, making it more difficult to hack accounts using them.

Common types of biometrics include the following:

• Fingerprint scanning verifies authentication based on a user's fingerprints.
• Facial recognition uses the person's facial characteristics for verification.
• Iris recognition scans the user's eye with infrared to compare patterns against a saved profile.
• Behavioral biometrics uses how a person walks, types or handles a device.

Users may be familiar with biometrics, making it easier to deploy in an enterprise setting. Many consumer devices feature biometric authentication capabilities, including Windows Hello and Apple's Face ID and Touch ID. A biometric authentication experience is often smoother and quicker because it doesn't require a user to recall a secret or password. It's also harder for attackers to spoof.

Technology remains biometrics' biggest drawback. Not every device handles biometrics the same way, if at all. Older devices may only use a saved static image that could be fooled with a picture. Newer software, such as Windows Hello, may require a device to have a camera with near-infrared imaging. This may require heavier upfront costs than other authentication types. Users also must be comfortable sharing their biometric data with companies, which can still be hacked.

4. Single sign-on

Single sign-on (SSO) enables an employee to use a single set of credentials to access multiple applications or websites. The user has an account with an identity provider (IdP) that is a trusted source for the application (service provider). The service provider doesn't save the password. The IdP tells the site or application via cookies or tokens that the user verified through it.

SSO reduces how many credentials a user needs to remember, strengthening security. UX is also improved as users don't have to log in to each account each time they access it, provided they recently authenticated to the IdP. SSO can also help reduce a help desk's time assisting with password issues.

This authentication method does mean that, if an IdP suffers a data breach, attackers could gain access to multiple accounts with a single set of credentials. SSO also requires an initial heavy time investment for IT to set up and connect to its various applications and websites.

5. Token-based authentication

Token authentication enables users to log in to accounts using a physical device, such as a smartphone, security key or smart card. It can be used as part of MFA or to provide a passwordless experience. With token-based authentication, users verify credentials once for a predetermined time period to reduce constant logins.

Tokens make it difficult for attackers to gain access to user accounts. Attackers would need physical access to the token and the user's credentials to infiltrate the account.

Employees must be trusted to keep track of their tokens, or they may be locked out of accounts. Because users are locked out if they forget or lose the token, companies must plan for a reenrollment process.

6. Certificate-based authentication

Certificate authentication uses digital certificates issued by a certificate authority and public key cryptography to verify user identity. The certificate stores identification information and the public key, while the user has the private key stored virtually.

Certificate-based authentication uses SSO. IT can deploy, manage and revoke certificates. This authentication type works well for companies that employ contractors who need network access temporarily.

Certificate-based authentication can be costly and time-consuming to deploy. IT must also create a reenrollment process in the event users can't access their keys -- for example, if they are stolen or the device is broken.

Authentication method protocols

The authentication process involves securely sending communication data between a remote client and a server. Popular authentication protocols include the following:

• Lightweight Directory Access Protocol (LDAP) is used in authentication to verify credentials with a directory service. With LDAP, clients request user data stored within the database and provide access if credentials match.
• Password Authentication Protocol (PAP) is used if servers cannot handle stronger protocols. PAP sends usernames and passwords in plaintext, making it an easy target for snooping.
• Challenge-Handshake Authentication Protocol (CHAP) provides better protection than PAP. CHAP uses a challenge/response mechanism to authenticate instead of transmitting a secret, reducing the chances of replay attacks.
• Extensible Authentication Protocol (EAP) is used for wireless connections as part of the Point-to-Point Protocol for encrypted networks. EAP provides a framework that supports and extends multiple authentication methods.
• Kerberos is used to authenticate over insecure networks, such as the internet, in OSes, including Windows, macOS and Linux. Kerberos works with a trusted third party to provide access certificates.
• OpenID is an open source protocol for authentication and SSO that serves as the identity layer of the OAuth 2.0 authorization framework. Instead of logging in to individual websites directly, users get redirected to the OpenID site for login.
• Security Assertion Markup Language (SAML) is an open source protocol and SSO standard. SAML passes information through signed XML documents between an IdP and service provider.
• FIDO2 is a standard that uses the Web Authentication API and Client to Authenticator Protocol to authenticate users via public key cryptography from a local device, such as a token or smartphone.
• SSL/TLS uses public key cryptography and digital certificates to authenticate between user and server.

There is a growing demand for different types of user authentication technologies for both online and in physical systems. The motivation to authenticate users ranges from access control reasons to business development purposes like adding e-commerce elements.

Organizations need to understand that passwords are not the only way to authenticate users. There is a wide variety of authentication technologies and an even greater range of activities that require authentication methods.

What Is Authentication?

Authentication is the process of identifying users that request access to a system, network, or device. Access control often determines user identity according to credentials like username and password. Other authentication technologies like biometrics and authentication apps are also used to authenticate user identity.

Why Is User Authentication Important?

User authentication is a method that keeps unauthorized users from accessing sensitive information. For example, User A only has access to relevant information and cannot see the sensitive information of User B. 

Cybercriminals can gain access to a system and steal information when user authentication is not secure. The data breaches companies like Adobe, Equifax, and Yahoo faced are examples of what happens when organizations fail to secure their user authentication. 

Hackers gained access to Yahoo user accounts to steal contacts, calendars and private emails between 2012 and 2016. The Equifax data breach in 2017 exposed credit card data of more than 147 million consumers. Without a secure authentication process, any organization could be at risk.

5 Common Authentication Types

Cybercriminals always improve their attacks. As a result, security teams are facing plenty of authentication-related challenges. This is why companies are starting to implement more sophisticated incident response strategies, including authentication as part of the process. The list below reviews some common authentication methods used to secure modern systems.

1. Password-based authentication

Passwords are the most common methods of authentication. Passwords can be in the form of a string of letters, numbers, or special characters. To protect yourself you need to create strong passwords that include a combination of all possible options. 

However, passwords are prone to phishing attacks and bad hygiene that weakens effectiveness. An average person has about 25 different online accounts, but only 54% of users use different passwords across their accounts. 

The truth is that there are a lot of passwords to remember. As a result, many people choose convenience over security. Most people use simple passwords instead of creating reliable passwords because they are easier to remember. 

The bottom line is that passwords have a lot of weaknesses and are not sufficient in protecting online information. Hackers can easily guess user credentials by running through all possible combinations until they find a match.

2. Multi-factor authentication

MFA authentication methods and technologies increase the confidence of users by adding multiple layers of security. MFA may be a good defense against most account hacks, but it has its own pitfalls. People may lose their phones or SIM cards and not be able to generate an authentication code.

3. Certificate-based authentication

Certificate-based authentication technologies identify users, machines or devices by using digital certificates. A digital certificate is an electronic document based on the idea of a driver’s license or a passport. 

The certificate contains the digital identity of a user including a public key, and the digital signature of a certification authority. Digital certificates prove the ownership of a public key and issued only by a certification authority. 

Users provide their digital certificates when they sign in to a server. The server verifies the credibility of the digital signature and the certificate authority. The server then uses cryptography to confirm that the user has a correct private key associated with the certificate.

4. Biometric authentication

Biometrics authentication is a security process that relies on the unique biological characteristics of an individual. Here are key advantages of using biometric authentication technologies:

• Biological characteristics can be easily compared to authorized features saved in a database. 
• Biometric authentication can control physical access when installed on gates and doors. 
• You can add biometrics into your multi-factor authentication process.

Biometric authentication technologies are used by consumers, governments and private corporations including airports, military bases, and national borders. The technology is increasingly adopted due to the ability to achieve a high level of security without creating friction for the user. Common biometric authentication methods include:

• Facial recognition—matches the different face characteristics of an individual trying to gain access to an approved face stored in a database. Face recognition can be inconsistent when comparing faces at different angles or comparing people who look similar, like close relatives. Facial liveness like ID R&D’s passive facial liveness prevents spoofing.
• Fingerprint scanners—match the unique patterns on an individual’s fingerprints. Some new versions of fingerprint scanners can even assess the vascular patterns in people’s fingers. Fingerprint scanners are currently the most popular biometric technology for everyday consumers, despite their frequent inaccuracies. This popularity can be attributed to iPhones.
• Speaker Recognition —also known as voice biometrics, examines a speaker’s speech patterns for the formation of specific shapes and sound qualities. A voice-protected device usually relies on standardized words to identify users, just like a password.
• Eye scanners—include technologies like iris recognition and retina scanners. Iris scanners project a bright light towards the eye and search for unique patterns in the colored ring around the pupil of the eye. The patterns are then compared to approved information stored in a database. Eye-based authentication may suffer inaccuracies if a person wears glasses or contact lenses.