Authentication
The process of verifying that a person or system is who or what they claim to be before granting access to resources.
What Is Authentication?
Authentication is the process of verifying the identity of a user, device, or system before granting access to a resource. It answers the question: "Are you really who you say you are?"
Authentication is distinct from authorisation (which determines what an authenticated entity is allowed to do) and accountability (which records what actions were taken and by whom). Together, the three form the AAA framework — Authentication, Authorisation, and Accountability.
Authentication Factors
Authentication evidence falls into three categories:
- Knowledge (something you know): Passwords, PINs, security questions
- Possession (something you have): Smartphones, hardware tokens, smart cards
- Inherence (something you are): Biometrics — fingerprints, facial recognition, voice recognition
Single-factor authentication (SFA): One factor, typically a password. Weakest form — widely exploited.
Multi-factor authentication (MFA): Two or more factors from different categories. Significantly harder to compromise.
Modern Authentication Methods
Passwords: Still the most common, but weak when reused or simple. Require a password manager and strong policies.
Passkeys: FIDO2-based cryptographic credentials stored on a device. Phishing-resistant and password-free. The emerging gold standard.
Authenticator apps (TOTP): Time-based one-time passwords generated by apps like Google Authenticator or Microsoft Authenticator. Strong second factor.
Hardware security keys: Physical keys (YubiKey, Google Titan) that plug into USB or tap via NFC. The most phishing-resistant MFA form.
Biometrics: Fingerprint or face recognition, typically on devices. Convenient and reasonably secure — but biometric data, once compromised, cannot be changed.
SSO with MFA: Single sign-on via an identity provider (Entra ID, Google Workspace, Okta) with enforced MFA on the IdP. The recommended approach for managing access to multiple SaaS applications.
Why Passwords Alone Are Not Enough
Over 80% of breaches involve stolen or weak credentials. Passwords are compromised through phishing, keyloggers, credential stuffing, and database breaches. MFA dramatically reduces the risk — Microsoft reports it blocks over 99.9% of account compromise attacks.