AuthN, also known simply as “authentication”, represents authentication methods that are a part of the field of Identity and Access Management. AuthN is focused on verifying identity and who a particular human or machine identity is.
AuthNensures an identity is who it claims to be. Applications and databases must ensure that identities are valid and data isn’t vulnerable to bad actors.
Traditionally, AuthN verifies you are who you say you are with account credentials, specifically a username and password. When you create an account, your username and password are stored in a database. When logging into your account, your credentials are checked against that database for verification. It’s as simple as it sounds.
Recent trends are moving away from usernames and passwords, instead employing passwordless authentication. The most common forms of passwordless authentication employ a physical device or account that leverages biometric authentication via a face scan or a fingerprint. In leveraging biometrics organizations can vastly reduce the likelihood of a data breach.
Let’s examine other AuthN concepts that expand on how this works in practice.
When you log in to an application, you sometimes stay logged in for an extended period. This is known as a session.
Sessions are enabled by stored data in your web browser, known as cookies. When the app you’re using enables sessions via cookies, it creates and stores a “token,” a string of random characters it attaches to your user information. This token is also stored in the web browser with the cookie. When you open a new browser, the tokens in the app and browser are compared to ensure you are who you seem to be. Cookies expire after an amount of time pre-determined by the app, destroying the tokens and forcing you to log in again. The longer cookies persist, the more vulnerable you are to attack.
While AuthN stands for “authentication,” AuthZ stands for “authorization.” The primary difference between AuthN and AuthZ is that AuthN focuses on authenticating “identities,” while AuthZ focuses on authorizing “permissions.”
The most common method of authentication is to ask a user to enter their username and password. As mentioned above, the application checks the username and password against their database to verify the user’s identity.
Given that passwords are easily compromised, multi-factor authentication is a method that requires additional unique information each time a user attempts to log in. The most common implementation is two-factor authentication (2FA), where a unique code (or “token”) is created that needs to be provided in addition to login credentials. There are two types of these tokens, “soft” tokens created by an SMS message or an application or “hard” tokens such as USB sticks. MFA can also employ biometric authentication as an additional level of security.
Public-Key certificate is a secure method of authentication that leverages public-key encryption to verify a user has the corresponding private key. In practice, the identity of web servers is verified using Transport Layer Security (TLS). Every time you load a web page, HTTPS uses public-key certificates via TLS to authenticate the website’s identity.
Internet of Things devices and API endpoints also use public-key certificates for mutual authentication, where both the server and the user are verified simultaneously.
Learn more about the complex topic of public-key encryption.
Fingerprint, face, and retina scans are methods employed to verify the identity of a human. These can be used as a part of MFA for enhanced security.
Magic links are a method of identity verification that involves sending a unique web link to an email or via an SMS link. By clicking on the link, you’re automatically logged into the application.
Single-Sign-On (SSO) is a method of identity verification used by applications that allow you to log in using credentials from a 3rd party, such as Google, Apple, Facebook, or Github, as well as enterprise-grade solutions from Microsoft, Okta, and Ping. When you log into an app using SSO, you’re redirected to the 3rd party service to log in to that account. Once logged in, you’re redirected back to the original application. This method is popular with developers due to its simplicity in implementing authentication. OAuth is the technical standard that makes SSO possible.