In a computer system, authentication (“auth” for short) is the process that verifies that a user is who they claim to be. Most authentication systems rely on authentication factors, which are items (a swipe card), characteristics (a fingerprint scan) or bits of information (a PIN code) that only the user has.
Consider a common authentication scenario: supplying a user ID and password to log in to an email account. When the user enters their user ID (which is likely their email address in this situation) they’re telling the email system, “This is who I am.”
But that isn’t enough to verify the end user’s identity. Anyone can enter whatever user ID they want, especially when a user’s ID is something public like an email address. To prove that they truly are the person who owns that email address, the user enters their password, a secret piece of knowledge that (theoretically) no one else should have. The email system then identifies this user is the real account holder and lets them in.
Authentication processes can also confirm the identities of nonhuman users such as servers, web applications and other machines and workloads.
Authentication is a fundamental component of information security strategy. It is particularly important to identity and access management (IAM), the cybersecurity discipline that deals with how users access digital resources. Authentication enables organizations to limit network access to legitimate users, and it is the first step in enforcing individual user permissions.
Today, user identities are prime targets for threat actors. According to the IBM® X-Force® Threat Intelligence Index, hijacking valid user accounts is the most common way that attackers break into networks, accounting for 30% of cyberattacks. Hackers steal credentials and then pose as legitimate users, allowing them to sneak past network defenses to plant malware and steal data.
To combat these identity-based attacks, many organizations are moving away from purely password-based authentication methods. Instead, they’re adopting multifactor authentication, adaptive authentication and other strong authentication systems where user credentials are harder to steal or fake.
Authentication and authorization are related but distinct processes. Authentication verifies a user’s identity, while authorization grants that verified user the appropriate level of access to a resource.
One can think of authentication and authorization as answering two complementary questions:
Authentication is typically a prerequisite for authorization. For example, when a network administrator logs in to a secure system, they must prove they are an admin by supplying the right authentication factors. Only then will the IAM system authorize the user to perform administrative actions such as adding and removing other users.
At a high level, authentication is based on the exchange of user credentials, also called authentication factors. A user gives their credentials to the authentication system. If they match what the system has on file, the system authenticates the user.
To dig a bit deeper, one can break the authentication process into a series of steps:
While this example assumes a human user, authentication is generally the same for nonhuman users. For example, when a developer connects an app to an application programming interface (API) for the first time, the API might generate an API key. The key is a secret value that only the API and the app know. From then on, whenever the app makes a call to that API, it must show its key to prove the call is genuine.
There are four types of authentication factors that users can use to prove their identities:
Knowledge factors are pieces of information that, theoretically, only the user would know, such as passwords, PINs and answers to security questions. While knowledge factors are common, they’re also the easiest factors to steal or crack.
Possession factors are things that a user owns. While some users have dedicated hardware security tokens designed solely to act as possession factors, many people use their mobile devices.
For example, a user can install an authenticator app that generates one-time passwords (OTPs) that expire after a single use. Users can also receive OTPs through SMS text message.
Machines and workloads often use digital certificates, issued by trusted third parties, as possession factors.
Inherence factors are physical traits unique to a user. This category includes biometric authentication methods such as facial recognition and fingerprint scans.
Behavioral factors are behavioral patterns, such as a person’s typical IP address range, hours of activity and average typing speed.
Adaptive authentication schemes often use behavioral factors to assess a user’s risk level. (For more information, see “Types of authentication.”)
Traditionally, each individual app, website or other resource would have its own IAM system to handle user authentication. With the rise of digital transformation and the proliferation of corporate and consumer apps, this fragmented system has become cumbersome and inconvenient.
Organizations struggle to track users and enforce consistent access policies throughout the network. Users adopt poor security habits, such as using simple passwords or reusing credentials across systems.
In response, many organizations are implementing more unified approaches to identity where a single system can authenticate users for a various apps and assets.
Different authentication systems use different authentication schemes. Some of the most common types include:
In a single-factor authentication (SFA) process, users need to supply only one authentication factor to prove their identities. Most commonly, SFA systems rely on username and password combinations.
SFA is considered the least secure type of authentication because it means that hackers need to steal only one credential to take over a user’s account. The US Cybersecurity and Infrastructure Agency (CISA) officially discourages SFA as a “bad practice.”
Multifactor authentication (MFA) methods require at least two factors of at least two different types. MFA is considered stronger than SFA because hackers must steal multiple credentials to take over user accounts. MFA systems also tend to use credentials that are much harder to steal than passwords.
Two-factor authentication (2FA) is a type of MFA that uses exactly two authentication factors. It is probably the most common form of MFA in use today. For example, when a website requires users to enter both a password and a code that is texted to their phone, that is a 2FA scheme in action.
Sometimes called risk-based authentication, adaptive authentication systems use artificial intelligence (AI) and machine learning (ML) to analyze user behavior and calculate risk level. Adaptive authentication systems dynamically change authentication requirements based on how risky a user’s behavior is at the moment.
For example, if someone logs in to an account from their usual device and location, they might need to enter only their password. If that same user logs in from a new device or tries to access sensitive data, the adaptive authentication system might ask for more factors before allowing them to proceed.
Passwordless authentication is an authentication system that doesn’t use passwords or other knowledge factors. For example, the Fast Identity Online 2 (FIDO2) authentication standard replaces passwords with passkeys based on public key cryptography.
Under FIDO2, a user registers their device to act as an authenticator with an app, website or other service. During registration, a public-private key pair is created. The public key is shared with the service and the private key is kept on the user’s device.
When the user wants to log in to the service, the service sends a challenge to their device. The user responds by entering a PIN code, scanning their fingerprint or performing some other action. This action enables the device to use the private key to sign the challenge and prove the user’s identity.
Organizations are increasingly adopting passwordless authentication to defend against credential thieves, who tend to focus on knowledge factors because of how comparatively easy they are to steal.
As cybersecurity controls grow more effective, threat actors are learning to go around them instead of tackling them head-on. Strong authentication processes can help stop identity-based cyberattacks in which hackers steal user accounts and abuse their valid privileges to sneak past network defenses and wreak havoc.
Identity-based attacks are the most common initial attack vector according to the X-Force Threat Intelligence Index, and threat actors have many tactics for stealing credentials. User passwords, even strong passwords, are easy to crack through brute-force attacks where hackers use bots and scripts to systematically test possible passwords until one works.
Threat actors can use social engineering tactics to trick targets into giving up their passwords. They can try more direct methods, such as man-in-the-middle attacks or planting spyware on victims’ devices. Attackers can even buy credentials on the dark web, where other hackers sell account data that they stole during previous breaches.
Yet many organizations still use ineffective authentication systems. According to the X-Force Threat Intelligence Index, identification and authentication failures are the second most commonly observed web application security risks.
Strong authentication processes can help protect user accounts—and the systems that they can access—by making it hard for hackers to steal credentials and pose as legitimate users.
For example, multifactor authentication (MFA) makes it so that hackers must steal multiple authentication factors, including physical devices or even biometric data, to impersonate users. Similarly, adaptive authentication schemes can detect when users are engaging in risky behavior and pose additional authentication challenges before allowing them to proceed. This can help block attackers’ attempts to abuse stolen accounts.
Authentication systems can also serve specific use cases beyond securing individual user accounts, including:
1 "PCI DSS: v4.0". Security Standards Council. March 2022.
Learn about the customer identity and access management (CIAM) landscape and current trends in the market.
Discover how to reduce the complexity of identity management with IBM's product-agnostic approach to identity fabric orchestration.
Get a clear definition of identity fabric and learn how an identity fabric enables continuous control and visibility.
Data breach costs have hit a new high. Get essential insights to help your security and IT teams better manage risk and limit potential losses.
Find out how IBM Verify enables organizations to simplify IAM with the flow designer.
Stay up to date with the latest trends and news about identity and access management.