The goal of identity and access management is to ensure the right people have the right access to the right resources -- and that unauthorized users can't get in. Authentication -- the process of determining users are who they claim to be -- is one of the first steps in securing data, networks and applications.
Learn about six authentication types and the authentication protocols available to determine which best fit your organization's needs.
Why is user authentication important?
Requiring users to provide and prove their identity adds a layer of security between adversaries and sensitive data. With authentication, IT teams can employ least privilege access to limit what employees can see. The average employee, for example, doesn't need access to company financials, and accounts payable doesn't need to touch developer projects.
When selecting an authentication type, companies must consider UX along with security. Some user authentication types are less secure than others, but too much friction during authentication can lead to poor employee practices.
6 user authentication types
Authentication methods include something users know, something users have and something users are. Not every authentication type is created equal to protect the network, however; these authentication methods range from offering basic protection to stronger security. Using more than one method -- multifactor authentication (MFA) -- is recommended.
1. Password-based authentication
Also known as knowledge-based authentication, password-based authentication relies on a username and password or PIN. The most common authentication method, anyone who has logged in to a computer knows how to use a password.
Password-based authentication is the easiest authentication type for adversaries to abuse. People often reuse passwords and create guessable passwords with dictionary words and publicly available personal info. Further, employees need a password for every application and device they use, making them difficult to remember and leading employees to simplify passwords wherever possible. This leaves accounts vulnerable to phishing and brute-force attacks.
Companies should create password policies restricting password reuse. Password policies can also require users to change passwords regularly and require password complexity.
2. Two-factor/multifactor authentication
Two-factor authentication (2FA) requires users provide at least one additional authentication factor beyond a password. MFA requires two or more factors. Additional factors can be any of the user authentication types in this article or a one-time password sent to the user via text or email. Factors can include out-of-band authentication, which involves the second factor being on a different channel from the original device to mitigate man-in-the-middle attacks. This authentication type strengthens the security of accounts because attackers need more than just credentials for access.
The strength of 2FA relies on the secondary factor. Attackers can easily breach text and email. Using biometrics or push notifications, which require something the user is or has, offers stronger 2FA. Be careful when deploying 2FA or MFA, however, as it can add friction to UX.
3. Biometric authentication
Biometrics uses something the user is. It relies less on an easily stolen secret to verify users own an account. Biometric identifiers are unique, making it more difficult to hack accounts using them.
Common types of biometrics include the following:
- Fingerprint scanning verifies authentication based on a user's fingerprints.
- Facial recognition uses the person's facial characteristics for verification.
- Iris recognition scans the user's eye with infrared to compare patterns against a saved profile.
- Behavioral biometrics uses how a person walks, types or handles a device.
Users may be familiar with biometrics, making it easier to deploy in an enterprise setting. Many consumer devices feature biometric authentication capabilities, including Windows Hello and Apple's Face ID and Touch ID. A biometric authentication experience is often smoother and quicker because it doesn't require a user to recall a secret or password. It's also harder for attackers to spoof.
Technology remains biometrics' biggest drawback. Not every device handles biometrics the same way, if at all. Older devices may only use a saved static image that could be fooled with a picture. Newer software, such as Windows Hello, may require a device to have a camera with near-infrared imaging. This may require heavier upfront costs than other authentication types. Users also must be comfortable sharing their biometric data with companies, which can still be hacked.
4. Single sign-on
Single sign-on (SSO) enables an employee to use a single set of credentials to access multiple applications or websites. The user has an account with an identity provider (IdP) that is a trusted source for the application (service provider). The service provider doesn't save the password. The IdP tells the site or application via cookies or tokens that the user verified through it.
SSO reduces how many credentials a user needs to remember, strengthening security. UX is also improved as users don't have to log in to each account each time they access it, provided they recently authenticated to the IdP. SSO can also help reduce a help desk's time assisting with password issues.
This authentication method does mean that, if an IdP suffers a data breach, attackers could gain access to multiple accounts with a single set of credentials. SSO also requires an initial heavy time investment for IT to set up and connect to its various applications and websites.
5. Token-based authentication
Token authentication enables users to log in to accounts using a physical device, such as a smartphone, security key or smart card. It can be used as part of MFA or to provide a passwordless experience. With token-based authentication, users verify credentials once for a predetermined time period to reduce constant logins.
Tokens make it difficult for attackers to gain access to user accounts. Attackers would need physical access to the token and the user's credentials to infiltrate the account.
Employees must be trusted to keep track of their tokens, or they may be locked out of accounts. Because users are locked out if they forget or lose the token, companies must plan for a reenrollment process.
6. Certificate-based authentication
Certificate authentication uses digital certificates issued by a certificate authority and public key cryptography to verify user identity. The certificate stores identification information and the public key, while the user has the private key stored virtually.
Certificate-based authentication uses SSO. IT can deploy, manage and revoke certificates. This authentication type works well for companies that employ contractors who need network access temporarily.
Certificate-based authentication can be costly and time-consuming to deploy. IT must also create a reenrollment process in the event users can't access their keys -- for example, if they are stolen or the device is broken.
Authentication method protocols
The authentication process involves securely sending communication data between a remote client and a server. Popular authentication protocols include the following:
- Lightweight Directory Access Protocol (LDAP) is used in authentication to verify credentials with a directory service. With LDAP, clients request user data stored within the database and provide access if credentials match.
- Password Authentication Protocol (PAP) is used if servers cannot handle stronger protocols. PAP sends usernames and passwords in plaintext, making it an easy target for snooping.
- Challenge-Handshake Authentication Protocol (CHAP) provides better protection than PAP. CHAP uses a challenge/response mechanism to authenticate instead of transmitting a secret, reducing the chances of replay attacks.
- Extensible Authentication Protocol (EAP) is used for wireless connections as part of the Point-to-Point Protocol for encrypted networks. EAP provides a framework that supports and extends multiple authentication methods.
- Kerberos is used to authenticate over insecure networks, such as the internet, in OSes, including Windows, macOS and Linux. Kerberos works with a trusted third party to provide access certificates.
- OpenID is an open source protocol for authentication and SSO that serves as the identity layer of the OAuth 2.0 authorization framework. Instead of logging in to individual websites directly, users get redirected to the OpenID site for login.
- Security Assertion Markup Language (SAML) is an open source protocol and SSO standard. SAML passes information through signed XML documents between an IdP and service provider.
- FIDO2 is a standard that uses the Web Authentication API and Client to Authenticator Protocol to authenticate users via public key cryptography from a local device, such as a token or smartphone.
- SSL/TLS uses public key cryptography and digital certificates to authenticate between user and server.