(Authentication|Access control|Identification) - AuthN


Authentication is the process that establishes the identity of a user who accesses a resource of an application (page, image,…)

It's abbreviated as AuthN for authentication versus AuthZ for authorization.

The process validates who you are.

The authentication mechanism (a user/password form for instance) starts when the user:

  • needs to access a secured resource such as an admin page
  • starts the authentication process (click on the login page or call the login function)

The system or function that validates the authentication is referred to as an (Identity|Authentication) Provider.

After a user has been authenticated, the session that holds all the navigation context data is updated and goes from a anonymous, to an authenticated state with the user identity.

The next critical aspect in security building is the authorization step.

The process of creating, submitting, and verifying credentials is described simply as authentication, which is implemented through various authentication protocols


Basically, there are three ways to authenticate an individual:

  • by something the person knows,
  • by something the person has,
  • and by something the person is.

All these ways have been used from prehistory until the present day, and they all have different security properties and trade-offs.

More … Authentication Ways - something the person knows, has or is

Multiple Techniques (MFA)

Better authentication systems use two or more methods.

  • An ATM, for example, uses “something the person has”—an ATM card—and “something the person knows”—a PIN. (Then it takes the person’s picture, for audit purposes.)
  • A passport is a physical card that is hard to counterfeit and contains a photograph.
  • The door-locking device may uses both a PIN and a hand-geometry scanner.

See Multi-Factor Authentication (Mfa / 2fa)

Identification is not authentication

Systems that confuse identification with authentication can have significant insecurities.

Some systems use the last four digits of a Social Security number as an authentication code, even though a Social Security number is a public identification number. You can’t change it. You can’t prevent others from having it. It’s a unique identifier, but it’s hardly a secret: a good number to identify me by, but a terrible one to authenticate me by. Your mother’s maiden name is a similarly lousy authentication code.


An Authentication Provider implements the authentication method. See Authentication - (Authentication|Identity) Provider

Documentation / Reference

Task Runner