Introduction to Authentication
Authentication is one of the most important topics of information security. Computer networks are prone to attacks. Therefore, to protect resources from getting into the hand of attackers, authentication is used. To be precise, it refers to the process of verifying a user’s identity. Let us dig a bit deeper and learn more about authentication.
Authentication is the process by which the identity of a user is validated.
Need of Authentication
- In order to protect essential data and resources from attackers, authentication is performed. If authentication is not done, attackers may gain access to an organization’s confidential data.
- Authentication verifies the user’s identity and confirms whether you are really the person you claim to be.
- Authorization can happen only after authentication has been successfully done. They are closely related to each other and are both required for controlling access to resources. Authentication refers to verifying user identity, while authorization checks whether the user is authorized to access a particular resource.
Factors of Authentication
These are three factors via which authentication can be done
- Something user knows / Knowledge Factor
- Something user has / Ownership Factor
- Something user is / Inference Factor
Something user knows / Knowledge Factor
This is the simplest and weakest form of authentication. The user is typically thrown a challenge to which the user has to respond with ‘something he/she knows’. A typical example of this would be passwords. Other examples include passphrase, PIN(personal identification number), or a security question.
Something user has / Ownership Factor
This type of authentication requires the user to own something for authentication. This refers to items like a credit card, debit card, ID card, static or dynamic tokens.
For example, for a user to withdraw money from ATM, he/she is authenticated with the help of their debit card. In addition to the debit card(something the user has), the user also has to enter a PIN( something the user knows).
Something user is / Inference Factor
This type of authentication requires biometrics(something the user is). Biometric is the measurement of human’s physical and behavioral characteristics that can help identify an individual uniquely. Biometric scanners are the hardware that is used to scan biometric data. There are various types of biometric authentication like
- Fingerprint scan: Fingerprints are the friction ridges at the end of fingers that are unique for everyone.
- Retina recognition: Retina recognition uses the unique pattern of one’s retina for identifying someone distinctly.
- Iris recognition: Iris recognition provides accurate biometric authentication for an individual and is done using specialized cameras.
- Facial recognition: Facial recognition is used to map facial features from an image or a video by scanning the geometry of one’s face.
- Voice recognition: Voice recognition works by analyzing the frequency, flow, and accent of a person’s voice.
Inference factor is used for Aadhar card where facial photographs, fingerprints, and iris scans of individuals are collected.
Other than these above three factors, the two other factors that can be used for authentication are Location Factor and Time Factor.
- Location factor: Location-based authentication can be done along with other forms of authentication to validate a person's identity. This kind of authentication is done by detecting the geographical location of an individual. For example, a person usually logs in the system from place A, but the attacker is trying to log in from a remote location place B, the location factor will be able to detect it and prevent the attacker from accessing the system.
- Time factor: Time-based authentication is similar to location-based authentication and is paired with a combination of location-based and also some other form of authentication.
Single-factor Authentication (SFA)
In Single Factor Authentication, the user is asked to present only one authentication factor for identity verification. On successful verification, the user gets validated. The most common form of SFA is username and password, which is used widely today. This falls under the category of 'something user knows/knowledge factor'. However, even if it is the most popular way of authentication, it is the weakest and is prone to cyber threats.
Multi-factor Authentication (MFA)
Multi-factor Authentication as the name suggests challenges user to go through multiple factors of authentication to prove that they are exactly who they claim to be. All of us who use social networking websites like Facebook, Twitter, Instagram must be familiar with the term Two-factor authentication or 2FA. 2FA is a subset of MFA. It is precisely what it says and provides an extra layer of security over SFA. In the case of Facebook, along with user id and password , user is asked to choose between one of the three security methods -
- Security key
- Login codes from a third-party authentication app
- Security code sent as SMS to user's phone number.
2FA often combines 'something user knows' (like user id and password) and 'something user has’ '(like user's phone for receiving security code).
2FA and MFAs definitely enhance an organization's security by many folds.
As discussed earlier, password-based verification is still the most popularly used yet the most vulnerable authentication. Here the user has a login to a system with their specific user id and password.
OTP or One Time Passwords are used to verify users when they try to start a transaction or login into a system. OTPs are sent to the user as email or SMS, and then the user is asked to enter the OTP for verification purposes. Unlike passwords, they are dynamic in nature, meaning every time a new OTP is generated randomly using OTP generation algorithms.
For example, whenever a person tries to pay with their debit card, an OTP is sent to their phone number before a transaction is made.
Note: You should never share your OTP with anyone to protect yourself from getting into cyber fraud. OTP fraud has happened several times in the past and still keeps happening today. Not sharing OTP with anyone is the only way to stop it.
Single Sign-On (SSO)
Single Sign-On (SSO) means a single login for multiple apps/websites. We often see while signing up for a new website 'Log in with Facebook/Google' . After clicking on it you get signed in to the website without even creating an account. This is called Single Sign-On. Though it is very convenient for users as it saves them from the hassle of remembering passwords for every single website, it can lead to a single point of failure.
Passwordless authentication helps to verify users without them entering any password. For example, imagine a scenario when a user tries to sign in. He/she is then asked to enter the secret code sent to their email/phone number instead of their password. On successful verification of the secret code, the user gets authenticated. This is one way to implement passwordless authentication.
Biometrics or ‘something user has’ is a great way for user authentication and is done by verifying an individual’s biometric data.
Authenticator apps like Google Authenticator, Authy, Microsoft Authenticator implement 2FA for users’ accounts. This type of apps are usually installed in smartphones and can generate OTPs.
Authentication vs. Authorization
Authentication and Authorization go hand in hand when it comes to the security of an organization. However, people often get confused between the two and use the two terms interchangeably. They are two distinct steps for controlling access to resources. Authentication is the first step, and Authorization happens only after the former is successfully done.
Authentication is the process of validating a user's identity, while Authorization is the process of checking a user's authority to grant him/her access to certain resources.
For example, consider an organization there are employees and admins. Employees are allowed to access file A only, whereas admins can access file A and file B both. Therefore even after getting identity authenticated, if an employee tries to access file B, he/she won't be allowed to access it and this is achieved by Authorization.
Frequently Asked Questions
1.Are Authentication and Authorization the same?
Ans: No, they are not the same. With the help of Authentication identity of a user is verified, whereas with Authorization system checks whether the user has access to a particular resource.
2.What comes before - Authentication or Authorization?
Ans: Authentication is done before Authorization. Only after successful authentication authorization takes place.
To summarize what we have learned so far, we went through the basics of Authentication. We discussed the different factors of authentication like knowledge factor, ownership factor, inference factor. We also learned about the various authorization techniques like SFA, MFA, SSO, OTP, etc. Lastly, we talked about how the two methods - Authentication and Authorization are different from each other.
We hope you have understood the basic concepts revolving around Authentication by the end of this blog. Happy Learning Ninja