About
Authentication is the process that establishes the identity of a user who accesses a resource of an application (page, image,…)
It's abbreviated as AuthN for authentication versus AuthZ for authorization.
The process validates who you are.
The authentication mechanism (a user/password form for instance) starts when the user:
- needs to access a secured resource such as an admin page
- starts the authentication process (click on the login page or call the login function)
The system or function that validates the authentication is referred to as an (Identity|Authentication) Provider (ie user store).
The process of creating, submitting, and verifying credentials is described simply as authentication, which is implemented through various authentication protocols
What happened after a successful identification?
After a user (human or process) has been authenticated, if the authentication store is:
- token based, a access token is delivered to the process to be used in every subsequent request.
The next critical aspect in security building is the authorization step.
Ways
Basically, there are three ways to authenticate an individual:
- by something the person knows,
- by something the person has,
- and by something the person is.
All these ways have been used from prehistory until the present day, and they all have different security properties and trade-offs.
More … What are the 3 Authentication Ways ? Something the person knows, has or is
Multiple Techniques (MFA)
Better authentication systems use two or more methods.
- An ATM, for example, uses “something the person has”—an ATM card—and “something the person knows”—a PIN. (Then it takes the person’s picture, for audit purposes.)
- A passport is a physical card that is hard to counterfeit and contains a photograph.
- The door-locking device may uses both a PIN and a hand-geometry scanner.
Identification is not authentication
Systems that confuse identification with authentication can have significant insecurities.
Some systems use the last four digits of a Social Security number as an authentication code, even though a Social Security number is a public identification number.
- You can’t change it.
- You can’t prevent others from having it.
It’s a unique identifier, but it’s hardly a secret: a good number to identify me by, but a terrible one to authenticate me by.
Your mother’s maiden name is a similarly lousy authentication code.
Provider (ie User Store)
An Authentication Provider implements the authentication method.
See What is an Authentication / Identity) Provider ? ie user store