100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

Authentication

BeginnerConcept4.5K learners

Authentication is the process of verifying that a user, device, or system is who or what it claims to be, typically before granting access to a resource. It is distinct from authorization, which determines what an authenticated identity is…

Definition

Authentication is the process of verifying that a user, device, or system is who or what it claims to be, typically before granting access to a resource. It is distinct from authorization, which determines what an authenticated identity is allowed to do, and is commonly implemented via passwords, tokens, biometrics, certificates, or multi-factor combinations of these.

Overview

Authentication answers the question 'who are you?' while authorization (a related but separate concept, often confused with it) answers 'what are you allowed to do?'. A system typically authenticates first, then authorizes based on the verified identity's assigned roles or permissions. Authentication factors are traditionally grouped into three categories: something you know (a password or PIN), something you have (a hardware token, phone, or smart card), and something you are (biometrics like a fingerprint or face scan). Single-factor authentication (typically a password alone) is increasingly considered insufficient given widespread credential leaks and phishing; multi-factor authentication (MFA) combines two or more factor categories to substantially raise the bar for attackers, even if one factor (like a password) is compromised. Modern authentication increasingly favors phishing-resistant methods like passkeys (based on public-key cryptography via WebAuthn/FIDO2), which eliminate shared secrets that can be stolen or reused. At a protocol level, authentication in web and API systems is commonly implemented via session cookies, bearer tokens (like JWTs), OAuth 2.0/OpenID Connect for delegated and federated identity (e.g. 'Sign in with Google'), and SAML for enterprise single sign-on (SSO). These protocols separate the act of proving identity from the ongoing mechanism (a token or session) used to represent that proven identity on subsequent requests. Authentication is foundational to nearly every security model, including Zero Trust, where every request must be authenticated (and continuously re-verified) regardless of network location, rather than trusting a session indefinitely once established.

Key Concepts

  • Verifies identity ('who are you'), distinct from authorization ('what can you do')
  • Factors: knowledge (password), possession (device/token), inherence (biometrics)
  • Multi-factor authentication (MFA) combines factors for stronger security
  • Passkeys/WebAuthn provide phishing-resistant, passwordless authentication
  • OAuth 2.0 and OpenID Connect enable delegated/federated authentication
  • SAML supports enterprise single sign-on (SSO) across applications
  • Session tokens and JWTs represent a proven identity on subsequent requests

Use Cases

Logging into web and mobile applications
API authentication between services using tokens or API keys
Enterprise single sign-on (SSO) across multiple internal applications
Passwordless login using passkeys or biometric authentication
Federated 'Sign in with Google/Apple/Microsoft' flows
Device authentication in IoT and machine-to-machine communication
Step-up authentication for high-risk actions (e.g. confirming a bank transfer)

Frequently Asked Questions

From the Blog