Imagine a world where online accounts don’t ask you to authenticate yourself before you gain access. There’d be no access control! Anybody could use your account, access sensitive information, and use it to their own ends.
Authentication methods exist so you don’t have to worry about other people accessing your accounts. In this article, we explain what authentication is, how it helps platforms confirm user identity, and the various authentication types you may encounter.
Summary: Authentication is a process used to confirm that something is real. In the context of digital accounts and computer system access, authentication is used to ensure only the right people are granted access to protected information. Types of authentication include passwords, biometric authentication, and multi-factor authentication. All help validate a user’s identity before providing access to confidential data.
What is Authentication?
Put simply, authentication is the process of confirming that you are who you say you are. If you’ve ever set up an online account, you’re likely familiar with the basic concept. That account may ask you to create a user ID and password. It then asks for these user credentials whenever you try to access the account.
Think of authentication as the way computer systems control who can use them.
Without authentication, anybody could access an account without any barriers. Hackers would have field days as they pulled confidential information out of accounts with nothing to stop them. Authentication techniques are like the locked gates that protect what’s rightfully yours. Only you should have the key to unlock those gates.
The Authentication Types
Many people are already familiar with basic authentication practices.
Of course, authentication is often more complicated than creating a user name and password. There are many types of authentication process, with many relying on modern technology to do their jobs.
Type No. 1 – Password Authentication
The most common authentication type, passwords are used for almost everything that requires digital access. A password is a unique key tied to a user ID you create. The password has to remain a secret or other people could use it to access the account that the password is tied to.
Passwords are also the most popular form of single-factor authentication. Your username is public and viewable, meaning it doesn’t offer any account security. As such, a service that only asks for a password before granting access only has a single type of authentication in place. Many services now combine passwords with other authentication types to make gaining access more difficult.
The idea behind passwords is that a unique set of letters and symbols should prevent cybercriminals from accessing an account. Unfortunately, that’s not always how passwords work in practice. Sophisticated criminals can often crack passwords using brute force techniques and guesswork. Many people also use unsecure passwords, such as birthdays and pet names, which makes cracking them easier.
Still, passwords are common and effective when used correctly. However, many services are moving away from using passwords as their sole authentication factor.
Type No. 2 – Multi-Factor Authentication
Also referred to as two-factor authentication (2FA), multi-factor authentication processes use at least two authentication factors to verify a user’s identity.
For example, you may sign up for an account that asks you to create a password as your initial authentication method. From there, the account may then ask for additional authentication factors, such as answers to some common personal questions. This is a knowledge factor and the idea is that only you should know the answers to these questions.
When you go to sign into this account, you’ll enter your username and password to get past the first authentication barrier. Then, the platform will ask you to complete the second form of authentication. In this case, that would involve providing the correct answer to the question it poses. You don’t get access to your account until you’re able to offer the right answer.
That’s a basic example of authentication systems that use multiple factors. More complex systems exist. Some accounts may ask for your phone number so they can send time-limited unique user codes via text message as the secondary form of authentication. Others may ask for biometric data, such as fingerprint or voice recognition systems.
Whatever the case may be, this form of authentication asks you to prove you are who you say you are in multiple ways. The extra steps make it harder for hackers to access accounts than it would if they only had to crack a single authentication factor.
Type No. 3 – Biometric Authentication
We mentioned biometric authentication earlier.
Biometrics are physical characteristics that only you have, such as your face. Nobody else in the world looks exactly like you. Even if you have a twin, there are still minor facial differences that computer systems can use to authenticate you.
The idea here is that your physical attributes can’t be replicated by anybody else. There are several types of biometric authentication.
Just like a person can identify who you are by looking at your face, so too can a computer system. This technology scans your face and collects data points. This essentially turns your face into a biological password that’s completely unique to you. When you need access to whatever the technology protects, you simply allow a scanner to check your face and you’re in.
Facial recognition is a great way to determine a person’s identity. But it isn’t perfect. Hackers can use infrared photographs and certain types of hardware to hack facial recognition software.
If you’ve ever watched a detective movie, you’ve seen forensics teams gathering fingerprints to use as evidence. There’s a good reason for this. Fingerprints are like snowflakes. They’re all unique, which means your fingerprint is different from the fingerprints of everybody else in the world.
Authentication relies on unique factors. In that sense, there’s nothing better than a fingerprint.
Fingerprint scanners facilitate passwordless authentication by using your unique fingerprint as a biometric password. They’re becoming increasingly popular because it’s easy to build these scanners into modern devices. Your smartphone probably has a fingerprint scanner built into it!
But like all authentication methods, fingerprints can be accessed with the right tools. If somebody can hack the device that stores your fingerprint data, they can use it to access your accounts. More complicated hacking methods involve using silicon rubber to get a copy of your fingerprint, which a hacker can then use to gain access.
This type of user authentication uses the behavioral and physical patterns in your voice as a form of access management. Simply put, we all sound different from one another. Our tones, accents, and speaking quirks all mean that our voices are identifiers. That makes them ideal for authentication.
Voice authentication is useful because it can be used to identify people in phone and video calls. Without it, the user would have to provide a spoken password or knowledge factor. Anybody listening in on the call could intercept these authentication techniques.
There are a few issues with voice authentication though. Background noise can make it hard to pick up on a person’s voice. Hackers may also be able to spoof, or copy, your voice in a recording to use when accessing your accounts.
Type No. 4 – Token Authentication
Token systems use a form of two-factor authentication to verify who you are. Instead of sending a code, these systems rely on the use of a physical device that only the user has access to. You may enter a username and password for your account. Then, you put a dongle into your computer’s USB port to serve as the token for secondary authentication.
Other types of tokens can include smart cards and near-field identification chips. Swiped or scanned ID cards can also be used.
The point is that there’s a physical device involved. That means anybody using token authentication has to keep track of who has a token. The token holder also has to ensure their token doesn’t fall into the wrong hands.
Type No. 5 – CAPTCHAs
A lot of hackers use bots to try and break through security measures. A hacker may use a bot to brute force a password, which means guessing what the password could be over and over until they get it right. But bots aren’t human. Therefore, they can be stopped in their tracks.
Invented in the early-2000s, CAPTCHAs take several forms. You have everything from blurry and misaligned character strings to image identification CAPTCHAs that ask you to pick a set of images that match a given criteria. The idea is that bots can’t handle these requests because they’re not programmed to deal with them.
CAPTCHAs can cause issues for users with disabilities, however, such as visual impairments. Many bots are also smart enough to overcome older types of CAPTCHAs.
Type No. 6 – Digital Certificates
Think of digital certificates as though they’re driving licenses.
Your driver’s license provides identifying information about you, such as a photo, your date of birth, and your address. Digital certificates are electronic versions of the same concept. The certificate contains a public key that identifies the user, as well as a digital signature from whoever issues the certificate.
The certificate itself is proof of your identity because the public key stored on it is unique to you.
You’ll often have a digital certificate if you need access to a computer system or server. The server verifies the certificate’s credentials. It then uses cryptographic methods to check the public key and confirm that you’re the person who’s supposed to be using it.
Type No. 7 – Transaction Authentication
This type of authentication differs from most others. It doesn’t rely on something the user provides, such as a password. Instead, transaction authentication examines the user’s actions and history. It uses what it knows about you to check for discrepancies.
You’ll see this used often by platforms that track your IP address, the devices you use, or your physical address. If a sign-in occurs from an unrecognized location, you get an email telling you that there’s a new sign-in. If it was you, there’s nothing to worry about. If you didn’t log in from the location the email describes, you’re encouraged to change your details.
Transaction authentication is usually a secondary factor. You’ll still use a password or something similar as your primary authentication. This is just an extra layer of protection that informs you when something fishy is going on.
There are many examples of all of these types of authentications to draw from.
Spotify uses transaction authentication as well as your username and password. Whenever you sign in from a new device, you should receive an email telling you about the new sign-in. If it wasn’t you, there’s a link to follow that allows you to reset your username and password.
Bank of America uses a multi-factor system to check you are who you say you are. After entering the details for your online account, you receive a six-digit verification code via SMS. You then enter this code into the website. Bank of America uses a third-party company to provide these unique codes. The code is only sent once, which makes it more difficult for hackers to intercept.
Facebook uses something it calls “Login Approvals” as authentication. You can sign up for this service to allow Facebook to use your smartphone as a token. This prevents Facebook from allowing access to people who know your password but don’t have your phone.
A lot of smartphones allow you to use biometric authentication to gain access. For example, the iPhone X introduced facial recognition technology. Many phones also have fingerprint scanners. You can couple these biometric methods with more traditional authentication, such as a password.
The United States Department of Defense (DoD) takes authentication to the next level. It uses biometrics, physical tokens like access cards, and even behavioral analysis techniques. That last method is unusual but it allows them to see when somebody is acting suspiciously.
Frequently Asked Questions
What does authentication mean?
Any technique used to verify your identity is a form of authentication. Examples include passwords, biometric data, and physical tokens. Authentication is supposed to prevent malicious parties from accessing your accounts.
What’s the difference between single-factor and multi-factor authentication?
Single-factor authentication uses a single authentication method to verify who you are. Multi-factor authentication combines several methods to create more barriers to entry.
Why is authentication important in cybersecurity?
Authentication prevents hackers from accessing your accounts. That means it’s vital for preventing information theft and stopping people from stealing financial information. Authentication also allows companies to only provide access to authorized people.
Author: Tibor Moes
Founder & Chief Editor at SoftwareLab
Tibor is a Dutch engineer and entrepreneur. He has tested security software since 2014.
This website is hosted on a Digital Ocean server via Cloudways and is built with DIVI on WordPress.
Don't take chances online. Protect yourself today:
Protect your Devices
Protect your Privacy
Or directly visit the #1: