Authentication 101

January 21, 2016

Authentication is the act of determining if someone (or something) is who or what it claims to be. This should be part of every security strategy. However, using only a single factor of authentication, like a username and password, is no longer doing a good job of keeping hackers out.


Traditionally, authentication mechanisms have been categorized as something you know, have or are. For example:


  • You know a password or a PIN.
  • You have a mobile phone or a token.
  • You are your biometric data, like a fingerprint.


Generally, combining multiple authentication factors results in a higher level of assurance (LoA) that the person or thing attempting to authenticate is actually the individual in question. Even if one of the factors has been compromised, the chances of the other factor also being compromised are low.


In theory, multi-factor authentication (MFA) requires a user to authenticate via two or more different types of authentication factors (e.g., a "something you know" combined with a "something you have"). But in practice, there's still value in multiple factors of the same type, as long as compromising one factor doesn't mean compromising the other.


Authentication mechanisms can also be distinguished by whether they use the same channel where the user accesses the application (entering a password into an HTML form), or a separate channel dedicated to authentication (e.g., receiving a prompt on your mobile phone).


The world of authentication has many different (and sometimes contradictory) terms and concepts. Let's discuss some of the common authentication vocabulary:


Authentication is the process of verifying that a claimed identity is genuine and based on valid credentials. A credential is something the user has access to (either "has" or "knows") that can be used in an authentication protocol. Before a credential can be used to authenticate the user, it must have previously been associated or bound to that user.


Note: new contextual models of authentication de-emphasize explicit issuance of a credential to a user. They rely more on recognizing the context of a given user and determining whether or not that context is consistent to what's expected. In a loose sense, the different contextual signals can be considered credentials.


Identification is the process of gathering information about a person and using it to provide some level of assurance that the person is who they claim to be. Identity proofing is a part of the registration process that verifies a customer's identity before he/she is issued accounts and credentials.


A level of assurance or LoA describes the degree of certainty that an individual is who he/she claims to be when presented with a digital credential. LoA is determined by the quality of identity vetting, proofing and credentialing, and by the quality of the actual authentication process. This includes the quality/type of the authentication credential and robustness of the authentication mechanism. LoA models typically define about four different levels, each with defined requirements for identity proofing and the particulars of the authentication mechanism(s).


Multi-factor authentication or MFA refers to the use of more than one credential in the authentication of the user. Generally, the use of multiple factors results in a higher LoA for the user's authentication. Two-factor (2FA) is the simplest example of MFA where two different credentials are used.


Registration is the process by which the user is linked to his/her credential and identity record, and a corresponding credential is issued to the user.


Check in with me next week as I explore different authentication mechanisms that might be part of a step-up MFA architecture. If you're ready for more now, check out our latest white paper, Best Practices for Step-up Multi-factor Authentication.