Protecting data generated by your business as well as confidential customer information is vital. Your employees also need to access some of that private data and sometimes proprietary tools and programs needed to do their jobs. The first step to protecting information and applications from fraud or misuse while also providing employees the tools and data they need to do their jobs is authentication.

What Is Authentication?

At a basic level, authentication refers to identifying an user to confirm they are who they claim to be they are before being granted access to information resources. A common way to authenticate a user is by using a combination of a username and password. Authentication proves the user is whom they say they are — only the user is supposed to know his or her exclusive username and password combination.

Although the traditional username and password combination — also known as user credentials — is still the primary form of authentication, it's just one piece in a larger puzzle of digital security. Secure authentication systems now feature designs to authenticate users using multiple factors, including one-time passwords or biometric markers. This strategy makes it challenging for bad actors to impersonate employees and steal important information.

Key Takeaways

  • Authentication is an essential information security process requiring employees to verify their identities before gaining access to systems, applications or other information.
  • Usernames and passwords have been a primary form of authentication. New forms of authentication supplement user credentials with other factors.
  • By switching to more progressive forms of authentication, businesses can mitigate the effects of credential theft and protect their most critical data.

Authentication Explained

What do you mean by authentication? Authentication verifies a user's credentials. In most cases during onboarding, employees create a username and password to prove their identity and access tools and data they are authorized to use. Providing access control in the form of authentication is the acritical step in information security. While the most basic form is a username and password, further efforts can include multi-factor authentication, or even biometric authentication.

Authentication is a way to keep your proprietary and private information secure. Everything from access to programs and applications to confidential customer information, and even details on pricing and suppliers.

How Authentication Works

There are different approaches to authentication — traditional user ID and password authentication, multifactor authentication, public key authentication and more. Each type has advantages and disadvantages, and they all have some common attributes.

First, let's talk about the basic setup. When users want to log in to an application or computer system, they input their user ID and password into the requisite form. These details then send to an application server, which matches the input credentials against the stored credentials connected to the username. If the two inputs match precisely, the user is free to access the services they're authorized to use.

Sometimes, attackers target authentication servers specifically, which might allow them to intercept passwords as users enter them. To mitigate against this possibility, some system administrators use public key authentication. Here, the user generates a key pair — one public key shared with many services and private key users keep secret. Using the private key, the user generates signatures. When the user logs in, a server uses the public key to validate these signatures and authenticate the user.

While public key authentication is secure, it can be inconvenient. And if the key is stored unprotected on your computer and that computer is stolen, the thief can impersonate the user. In general, authentication methods should make it easy for users to log in and difficult for bad actors to log in. They should also avoid single points of failure.

There are several different approaches to authentication, and public key is just one. But there's no silver bullet — the type of authentication should fit the characteristics of an organization as well as the kind of information it's trying to protect.

Authentication vs. Authorization

Authentication and authorization are often interchangeable — but there are key differences between the two. As discussed, authentication is a way for users to prove they are whom they say they are. Authorization is what users get in exchange for verifying their identities.

For example, warehouse managers successfully authenticating themselves might be authorized to use the tools and data associated with their roles, such as their email client, word processor and enterprise resource planning (ERP) system. They might also then be authorized to view, create and modify specific files. If they need access to other information or programs to do their jobs, something they're not automatically authorized to use, then they need to contact an administrator with a request.

As an administrator, user authentication can be a significant problem, especially for those at large organizations. Ideally, users should be authorized to use only the services required for them to do their jobs — this is what's known as the principle of least privilege. When a user has more permissions than necessary, it can invite abuse, allow theft or make the user an attractive target for bad actors.

Both are resource-intensive information security problems. But there are key distinctions, and this is the difference between authentication and authorization — authentication requires users to prove their identities, and authorization represents the privileges users receive in exchange for validation.

Why Is Authentication Important?

Authentication is important for many reasons, security being foremost. Without authentication, strangers from the public internet would be able to access and modify, copy or delete a company's corporate data and applications. Authentication is one of the processes forming the "perimeter" of the corporate network — it separates proprietary computer systems from the internet at large.

What is the purpose of authentication? Authentication is also necessary because it triggers the authorization process. Authentication establishes the identity of the user, while authorization establishes the user's privileges. When "Bob Smith" authenticates with his credentials, the authorization system links his identity with the role of a junior salesperson, allowing him to access a VoIP application, an email client and the CRM. Bob can't access the firewall, network monitoring controls or security logs, even though he established his identity.

Authentication is also important because it can include measures designed to mitigate identity theft. Let's say Bob steals credentials from the administrator Jane Doe. Some authentication systems would let Bob validate using Jane's credentials, allowing Bob to access secure systems and data. More progressive authentication systems could use a device fingerprinting technique to detect anomalies with the login — for example, Bob might be using a Windows PC, while Jane typically uses a Mac. That would prompt the authentication system to ask for an additional authentication factor, preventing Bob from logging in with Jane's credentials.

How Authentication Is Used

Authentication is applied when someone needs to use a computer system containing information or applications not meant for the public. Typically, this means logging in with a user ID and password, but there are other ways to authenticate. For example, a user might log in with a user ID, a password and a biometric identifier like a retina scan. At a banking website, a user might log in with their bank account number and password. Users might also be asked to authenticate themselves using information such as their Social Security number or driver's license number.

In general, authentication establishes the identity of the user. And the more sensitive the information under guard, the more thorough the authentication process. If people are only trying to access a social media website, for example, they'll probably just need their user ID and password. If they're trying to access their bank account, they might need to enter a one-time pass code sent to a verified phone number. If they're trying to access something like legal documents, then authentication might require a strongly identifying token such as a Social Security number.

Authentication Methods & Levels

Which authentication method is best may depend on a few factors, but some authentication types are much more secure than others. The average user can encounter three types of authentication. What are the three types of authentication? Password-based authentication, two-factor authentication and multifactor authentication. Methods of authentication under this umbrella include biometric authentication, mobile authentication and API-based authentication. What does each of these involve?

  • Traditional authentication

    All users need to provide are usernames and passwords they memorize. There aren't any hedges against password theft — if someone steals the password, he or she can easily impersonate the user.

  • Password-based authentication

    This type is an improvement on traditional authentication. Here, the password scrambles using one-way encryption called a hash, and the hash stores on an authentication server. When users input their passwords, it's hashed, and the input hash is compared to the stored hash on the server. Even if an attacker steals the list of hashes, it's much more complicated (if not impossible) for them to discover the user's password from this theft.

  • Two-factor authentication

    Here, users enter their passwords and one additional factor. This type usually takes the form of a one-time password that gets texted to the user's device. By entering this password, the user proves they're in control of the device used to authenticate.

  • Multifactor authentication

    Here, the user must enter an additional factor, but the factor can take many forms. It might be a one-time password, but it could also be a secure USB key, an ID card or a biometric marker.

  • One-time password

    This type is a temporary password. It is used only once and then deleted. These passwords are usually texted or emailed to a user to prove they control the device they're using to log in. Also, these passwords can be created using random-number generator apps. Keep in mind SMS and email are vulnerable to interception.

  • Three-factor authentication

    Unlike multifactor authentication, three-factor authentication requires users to provide two other factors in addition to their password. This might include a one-time password and the last four digits of a social security number. Three-factor authentication is used for highly sensitive data and systems.

  • Biometrics

    These are immutable factors serving to distinctively identify a human being — fingerprints, faces and retina scans are all distinct at an individual level and can be used to authenticate a user.

  • Mobile authentication

    This authentication method uses a mobile application to generate a random number which serves as a one-time password.

  • Continuous authentication

    Typically, a user authenticates once and is then authorized. With continuous authentication, a system performs identity checks — such as device fingerprinting — throughout the user's session, ensuring an attacker can't take it over.

  • API authentication

    An application programming interface (API) is a way for two software programs to communicate. API authentication helps prevent attackers from impersonating software programs. API authentication methods include:

    • HTTP basic
      Here, a client application is simply assigned a username and password. These factors are encoded using an HTTP header and automatically transmitted to an authentication server before the client makes a request.

    • API key
      API keys are based on public key authentication. The client application has a private key that generates signatures and a public API key shared with servers. The client adds their signature to the request header, and the server authenticates their identity using its stored public key.

    • OAuth
      Lastly, OAuth lets applications authenticate using a token instead of a password or an API key. That means applications don't have to share any credentials vulnerable to theft.

User Authentication vs. Machine Authentication

Previously, this article has discussed chiefly user authentication — for example, when someone needs to log into a computer system. That is far from the only form of authentication, however. Machines — computers, servers, switches and mobile devices — also need to authenticate themselves to networks before accessing data or services.

Machine authentication is somewhat different from user authentication. Machine authentication often uses the API authentication methods mentioned above. Machines can also make use of certificates permanently stored within their operating systems. These certificates prove, for example, the machine attempting to join the network is a laptop running the latest version of Windows.

This kind of authentication can be helpful because administrators don't want specific machines running on their network. For example, a laptop still running Windows XP would be vulnerable to all kinds of bugs and malware; even if the machine can successfully authenticate itself, it may not be authorized to use services or access data.

Authentication Factors

Previously, we discussed different kinds of authentication — two-factor, multifactor, three-factor and more. So, what's a factor? The short answer is a factor is something the user either knows, owns or is.

  • Knowledge factors
    These include the user's password, mother's maiden name, social security number or phone number. A knowledge factor is anything the user has memorized and can use to authenticate.
  • Ownership factors
    Users can also authenticate using things they own. Mobile authentication is an excellent example of this. Users own their mobile devices and can use them to generate a one-time password verifying their identities.
  • Inference factors
    These factors are inherent to the user and can't easily be stolen or copied. These are typically biometric factors — fingerprints, retina scans, face ID or similar. An attacker might still be able to copy these attributes, but it is not easy.

Authentication Types

What is authentication and types of authentication? Although this article has already covered authentication method, each method also falls under a different authentication type. There are three primary types of authentication — strong authentication, continuous authentication and digital authentication. Two other authentication types — product authentication and packaging authentication — are valuable but don't primarily relate to information security.

  • Strong authentication
    Any authentication building on the traditional username and password combination is known as strong authentication. Two-factor, three-factor and multifactor authentication are all forms of strong authentication. Even if a user's password is stolen, the one-time password or biometric factor makes the stolen credential nearly worthless.

  • Continuous authentication
    This form of authentication supplements strong authentication and is usually performed behind the scenes. One of the major security challenges is if someone logs into a computer and does not log out or turn the computer off when stepping away from the machine. Continuous authentication is used to make sure the person on the other side is still the person who logged in. How is this done? There are a few methods including presence-based, biometric and behavior-based technology.

  • Digital authentication
    This umbrella term encompasses both strong authentication and continuous authentication, as well as forms of authentication that don't fall under either category. These may include software tokens, public key authentication and hardware tokens such as secure USB drives.

  • Product authentication
    Although unrelated to information security, product authentication serves an essential purpose by protecting consumers from counterfeit goods. Product authentication methods include serial numbers or barcodes that are hard to replicate, making forgery difficult or impossible.

  • Packaging and labeling authentication
    Similarly, packaging and labeling authentication doesn't have much to do with information security, but it does provide traceability from the manufacturer to the retailer. In the case of a recall, these authentication methods can protect consumers from contaminated food and medicine.

History of Authentication

Authentication first appears in recorded history as a stamp — specifically as cylinder seals imprinted on Sumerian clay tablets around 5,500 years ago. These seals were intricately carved stone cylinders that were pressed into clay and rolled. They were often used as signatures signifying that a particular clerk or functionary was giving an order. These cylinder seals were the first method of verifying a person's identity without their presence.

Seals were used for authentication during most of the pre-digital era. Putting a wax seal on a letter would ensure the sender's authenticity — because the seals were challenging to replicate — and they would also prevent tampering. Authentication processes began to evolve with the invention of tools such as radio and the telegraph.

The first computer password was implemented at MIT during the 1960s. This system was intended to allow researchers to reserve time on the university's computer mainframe. Ironically, this system was almost immediately hacked by a researcher who wanted to increase his allotment of research time.

More secure authentication systems were developed in the 1970s. That is when the first hashing algorithms were created. By storing passwords as a cryptographic hash, attackers who stole a list of passwords from a server would find them almost useless.

Finally, the multifactor authentication systems we use today had their origins in the 1980s. Passwords were implemented using a hardware device that generated one-time passwords that were good for a limited time. This hardware standard was an inspiration for many other kinds of multifactor authentication and the OAuth standard used in API authentication.

5 Authentication Best Practices

What are the best practices for authentication? In general, administrators want to make authentication easy to use on the frontend while applying stricter techniques on the backend. When administrators try to make users memorize long lists of complex passwords, they often use the same password for multiple services, which is an insecure practice. What are some other things to understand?

  1. Don't store passwords in plain text
    This best practice is fundamental. When passwords are stored in plain text, anyone who breaks into the authentication server can steal every password belonging to every user. Hash passwords every time.

  2. Allow long and complex passwords
    People usually choose passwords that are easy to guess — their pets' names, their birthdays, their favorite sports teams and more. The antidote is to promote more extended and more complex passwords that include numbers and special characters.

  3. Use single sign-on (SSO) where possible
    The more passwords people have, the more likely it is they'll reuse their passwords. That leads to a potential domino effect — if passwords are stolen, the attacker can unlock multiple applications and access more data. Using SSO makes it possible for a user to remember more extended and complex passwords that are harder to steal or guess.

  4. Don't allow unlimited sessions
    Imagine a user logs into an application from a public computer — such as a library computer — and forgets to log out. That means anyone who sits down at a public computer can access their data and services. Fix this by setting limits on session length, automatically logging users out or requiring them to enter their password a second time, regardless of activity or inactivity.

  5. Use MFA judiciously
    Administrators want security, but users want convenience. If the administrator makes users enter a second factor too often they may shy away from using the system, leading to lower productivity or customer churn. Try to reserve MFA triggers for special cases, especially when authenticating lower-level users.

Here at NetSuite, we've implemented a flexible authentication system that's convenient and secure for users while offering added protection for administrators. Admins enjoy the security of SSAE 16 (SOC1)/ISAE 3402 Type II audited authentication, while users get the convenience and safety of two-factor mobile authentication. Meanwhile, administrators can easily onboard and offboard users from anywhere they choose to work, ensuring their users are never subject to access creep or identity theft.

Authentication FAQs

How is authentication used?

Most users could encounter authentication systems, including username and password fields connected to an application or computer system. If the authentication system has reason to suspect your credentials are stolen, it may ask the user to enter a one-time password either sent via SMS or email.

How does authentication work?

Once a user sets up their password, it is hashed — transformed into a series of letters and numbers using a one-way cryptographic algorithm—and then stored on the authentication server. Each time the user logs in, their password is subjected to the same algorithm and compared to the stored hash. If the hashes in what they input match, the user is authenticated successfully.