What Is Authentication?

Authentication is the process of identifying users that request access to a system, network, or device.
Access control often determines user identity according to credentials like username and password.
Other authentication technologies like biometrics and authentication apps are also used to authenticate
user identity.

Discretionary Access Control (DAC)

With a discretionary access control system (DAC) the owner of the company can decide
how many people have access to a specific location. Each access control point has a list
of authorised users. Every time a keycard is swiped, a PIN is punched, or a fingerprint is
scanned, the system checks the credential against the list and either allows or denies
access based on the previously set allowances.

DAC systems are considered to be the most flexible and offer the highest number of
allowances compared to other types of access control. Because it’s the most flexible, it’s
also not as secure as some other types, especially mandatory access control systems.
Since one person has total control over the system, he or she might grant access to
someone who shouldn’t have it. Discretionary access control systems are best for
companies that expect the most ease of use and flexibility.

Mandatory Access Control (MAC)

On the other end of the spectrum, mandatory access control systems (MAC) are the
most secure type of access control. Only owners and custodians have access to the
systems. All the access control settings are preset by the system administrator and can’t
be changed or removed without his or her permission.

Instead of creating an access list on each individual entry point like in a DAC system, a
MAC system works by classifying all the users and grants them access to areas based on
the system’s programming. If you have 150 employees, you’re going to need 150 user
permissions set up in the system.

Mandatory access control systems are the strictest and most secure type of access
control, but they’re also the most inflexible. In order to change permissions, the
administrator has to reprogram the specific user’s access, not just the security lists at the
entry point. MAC systems are primarily used by companies and agencies that require the
utmost levels of security.

Role-Based Access Control (RBAC)

Role-based access control (RBAC) is quickly becoming the most popular type of access
control. Instead of assigning permissions to individual users like in a MAC system, an
RBAC system works by assigning permissions to a specific job title. It cuts down on the
time required to set up or change user access.

For example, if you have 20 salespeople, two managers, and three accountants, you
wouldn’t have to create 25 individual security profiles in the system. You’d only have to
create three: one for each separate job title. When employees gets promoted, just give
them credentials that fit the new role and they’re good to go.

Rule-Based Access Control

Not to be confused with the other “RBAC,” rule-based access control is commonly used
as an add-on to the other types of access control. In addition to whatever type of access
control you choose, rule-based access control can change the permissions based on a
specific set of rules created by the administrator.

If your business closes at 5 p.m., there’s no need for anyone to have access to your main
office, even managers, after closing. With rule-based access control, you can set a rule to
deny access to everyone from 5 p.m. to 9 a.m. the next morning. Rules can be created
for just about any occasion.

Why Is User Authentication Important?

User authentication is a method that keeps unauthorized users from accessing sensitive information. For
example, User A only has access to relevant information and cannot see the sensitive information of
User B. 

Cybercriminals can gain access to a system and steal information when user authentication is not
secure. The data breaches companies like Adobe, Equifax, and Yahoo faced are examples of what
happens when organizations fail to secure their user authentication. 

Hackers gained access to Yahoo user accounts to steal contacts, calendars and private emails between
2012 and 2016. The Equifax data breach in 2017 exposed credit card data of more than 147 million
consumers. Without a secure authentication process, any organization could be at risk.
5 Common Authentication Types

Cybercriminals always improve their attacks. As a result, security teams are facing plenty of
authentication-related challenges. This is why companies are starting to implement more
sophisticated incident response strategies, including authentication as part of the process. The list below
reviews some common authentication methods used to secure modern systems.

1. Password-based authentication

Passwords are the most common methods of authentication. Passwords can be in the form of a string of
letters, numbers, or special characters. To protect yourself you need to create strong passwords that
include a combination of all possible options. 

However, passwords are prone to phishing attacks and bad hygiene that weakens effectiveness. An
average person has about 25 different online accounts, but only 54% of users use different passwords
across their accounts. 

The truth is that there are a lot of passwords to remember. As a result, many people choose
convenience over security. Most people use simple passwords instead of creating reliable passwords
because they are easier to remember. 

The bottom line is that passwords have a lot of weaknesses and are not sufficient in protecting online
information. Hackers can easily guess user credentials by running through all possible combinations until
they find a match.

2. Multi-factor authentication

Multi-Factor Authentication (MFA) is an authentication method that requires two or more independent
ways to identify a user. Examples include codes generated from the user’s smartphone, Captcha tests,
fingerprints, voice biometrics or facial recognition. 

MFA authentication methods and technologies increase the confidence of users by adding multiple
layers of security. MFA may be a good defense against most account hacks, but it has its own pitfalls.
People may lose their phones or SIM cards and not be able to generate an authentication code.

3. Certificate-based authentication

Certificate-based authentication technologies identify users, machines or devices by using digital

certificates. A digital certificate is an electronic document based on the idea of a driver’s license or a
passport. 

The certificate contains the digital identity of a user including a public key, and the digital signature of a
certification authority. Digital certificates prove the ownership of a public key and issued only by a
certification authority. 

Users provide their digital certificates when they sign in to a server. The server verifies the credibility of
the digital signature and the certificate authority. The server then uses cryptography to confirm that the
user has a correct private key associated with the certificate.

4. Biometric authentication
Biometrics authentication is a security process that relies on the unique biological characteristics of an
individual. Here are key advantages of using biometric authentication technologies:

 Biological characteristics can be easily compared to authorized features saved in a database. 

 Biometric authentication can control physical access when installed on gates and doors. 

 You can add biometrics into your multi-factor authentication process.

Biometric authentication technologies are used by consumers, governments and private corporations
including airports, military bases, and national borders. The technology is increasingly adopted due to
the ability to achieve a high level of security without creating friction for the user. Common biometric
authentication methods include:

 Facial recognition—matches the different face characteristics of an individual trying to gain

access to an approved face stored in a database. Face recognition can be inconsistent when
comparing faces at different angles or comparing people who look similar, like close relatives.
Facial liveness like ID R&D’s passive facial liveness prevents spoofing.

 Fingerprint scanners—match the unique patterns on an individual’s fingerprints. Some new

versions of fingerprint scanners can even assess the vascular patterns in people’s fingers.
Fingerprint scanners are currently the most popular biometric technology for everyday
consumers, despite their frequent inaccuracies. This popularity can be attributed to iPhones.

 Speaker Recognition —also known as voice biometrics, examines a speaker’s speech patterns

for the formation of specific shapes and sound qualities. A voice-protected device usually relies
on standardized words to identify users, just like a password.

 Eye scanners—include technologies like iris recognition and retina scanners. Iris scanners
project a bright light towards the eye and search for unique patterns in the colored ring around
the pupil of the eye. The patterns are then compared to approved information stored in a
database. Eye-based authentication may suffer inaccuracies if a person wears glasses or contact
lenses.

5. Token-based authentication

Token-based authentication technologies enable users to enter their credentials once and receive a
unique encrypted string of random characters in exchange. You can then use the token to access
protected systems instead of entering your credentials all over again. The digital token proves that you
already have access permission. Use cases of token-based authentication include RESTful APIs that are
used by multiple frameworks and clients.

Authentication with Username and Password

Username and password combination is the most popular authentication mechanism, and it is
also known as password authentication.
A well-known example is accessing a user account on a website or a service provider such as
Facebook or Gmail. Before you can access your account, you must prove you own the correct
login credentials. Services typically present a screen that asks for a username along with a
password. Then, they compare the data inserted by the user with the values previously stored in
an internal repository.

If you enter a valid combination of these credentials, the service provider will allow you to
continue and will give you access to your account.

While the username may be public, like for example, an email address, the password must be
confidential. Due to its confidentiality, passwords must be protected from steals by
cybercriminals. In fact, although usernames and passwords are widely used on the internet, they
are notorious for being a weak security mechanism that hackers exploit regularly.

The first way to protect them is by enforcing password strength, that is, a level of complexity so
that malicious attackers cannot easily guess them. As a rule of thumb, a complex combination of
lowercase and uppercase letters, numbers, and special characters results in a strong password.
Otherwise, a poor combination of characters leads to a weak password.

End users notoriously tend to use weak passwords. In an annual report from SplashData, an
internet security firm, they identified the 25 most common passwords. The list, based on millions
of passwords exposed by data breaches, shows that millions of users rely on passwords like
"123456" and "password" to authenticate.

It is a matter of usability since weak passwords are usually easier to remember. In addition, they
often reuse the same password with different websites or services.

The combination of these situations may lead to security issues since weak passwords are easy to
guess, and the leaked password can be used to access multiple services for the same user.

On the other hand, strong passwords used for authenticating can withstand brute force attacks but
are useless against attacks like phishing and keylogger software or password stuffing. These
types of attacks don’t try to guess the user’s password but steal it directly from the user.

Passwords are also an issue when not securely stored. For example, in a recent news
report, Facebook was shown to have stored millions of Instagram passwords in plain text.
Passwords should always be stored using best practices, such as hashing.

Authentication Factors
A specific category of credentials, like username and password, are usually said
an authentication factor. Even if password authentication is the most well-known type of
authentication, other authentication factors exist. There are three types of authentication factors
typically classified as follows:

 Something you know, for example, a password

 Something you have, for example, a smartphone
 Something you are, for example, biometric authentication
Something you know
This authentication factor requires a user to show that they know something. Typically, this will
be a password or a Personal Identification Number (PIN) shared among the user and the Identity
Access Management (IAM) system.

To use this factor, the system requires the user to provide that shared information.

Something you have

In this case, the user has to prove they have something, such as a smartphone, a smart card, a
mailbox. The system presents a challenge to the user to make sure they have the required
authentication factor. For example, it can send a Time-based One-Time-Password (TOTP) in a
text message to the user's smartphone. Or it can send a text code via email.

Something you are

This authentication factor is based on a piece of information that is in the user and is inherent to
that user (inherence factor). Typically, this information is a biometric characteristic like
fingerprints or voice. Also, facial recognition falls into this type of authentication factor.

From Single to Multi-Factor Authentication

The process of authentication based on just one factor is called Single-factor authentication.

This is the common case of simply using usernames and passwords for user authentication, but it
applies to any other authentication factor.

As discussed above, password authentication may be a weak authentication mechanism.

Research has shown that around 76% of companies have experienced a phishing attack,
while 81% of data breaches are based on stolen or weak passwords.

You can use additional authentication factors to increase the security of the authentication
process. For example, in your Google account, you can enable a notification transmission to your
mobile device after the usual authentication based on username and password. In this case, you
are using a Two-factor authentication (2FA), that is, an authentication mechanism based on
two categories of credentials: something you know and something you have.

By adding this second factor, your account is more secure. In fact, even if an attacker steals your
password, they can’t authenticate because they are missing the second authentication factor.

You can combine multiple authentication factors, further increasing your identity security. In this
case, you are using a Multiple-factor authentication (MFA). Of course, 2FA is just a form of
MFA.
Passwordless Authentication
As the name says, passwordless authentication is an authentication mechanism that doesn’t use a
password. The primary motivation for this type of authentication is to mitigate password fatigue,
that is the effort required for the user to remember and keep secure a strong password.

Removing the need to memorize passwords also helps to make phishing attacks useless.

You can do passwordless authentication with any authentication factor based on what you have
and what you are. For example, you can let the user access a service or an application by sending
a code via email or through facial recognition.

Authentication at Auth0
As Auth0 is an identity-as-a-service company, authentication resides at the core of our services.
Monthly, Auth0 handles 2.5 billion authentication processes to help companies of all sizes secure
their systems. Every single employee working at Auth0 is somehow involved in making
authentication processes more secure and easier to implement.

From compliance certifications like ISO27001 and SOC 2 Type II to security features
like breached password detection, Auth0 employees work around the clock to provide world-
class authentication solutions that fit every company's needs. If you want to learn more about
authentication or about how Auth0 can help you implement it securely, check out this training.

Want to learn more?