Authentication

Authentication is the process of recognizing a user’s identity. Authentication keeps invalid users out of databases, networks, and other resources. These types of authentication use factors, a category of credential for verification, to confirm user identity.

Types of authentication

i. Single-Factor/Primary Authentication

The most common form of authentication, Single-Factor Authentication, is also the least secure, as it only requires one factor to gain full system access. It could be a username and password, pin-number or another simple code. While user-friendly, Single-Factor authenticated systems are relatively easy to infiltrate by phishing, key logging, or mere guessing.

ii. Two-Factor Authentication (2FA)

Two-factor authentication reinforces security efforts. It is an added layer that essentially double-checks that a user is, in reality, the user they’re attempting to log in as—making it much harder to break.

With this method, users enter their primary authentication credentials (like the username/password mentioned above) and then must input a secondary piece of identifying information.

Possible secondary factors are a one-time password from an authenticator app, a phone number, or device that can receive a push notification or SMS code, or a biometric like fingerprint (Touch ID) or facial (Face ID) or voice recognition.

iii. Multi-Factor Authentication (MFA)

Multi-factor authentication is a high-assurance method, as it uses more system-irrelevant factors to legitimize users. Like 2FA, MFA uses factors like biometrics, device-based confirmation, additional passwords, and even location or behavior-based information (e.g., keystroke pattern or typing speed) to confirm user identity. However, the difference is that while 2FA always utilizes only two factors, MFA could use two or three, with the ability to vary between sessions, adding an elusive element for invalid users.

Authentication protocols

Authentication protocols are the designated rules for interaction and verification that endpoints (laptops, desktops, phones, servers, etc.) or systems use to communicate. 

Selecting the right authentication protocol for an organization is essential for ensuring secure operations.

i. Password Authentication Protocol (PAP)

PAP is the least secure protocol for validating users, due mostly to its lack of encryption. It is essentially a routine log in process that requires a username and password combination to access a given system, which validates the provided credentials.

ii. Challenge Handshake Authentication Protocol (CHAP)

CHAP is an identity verification protocol that verifies a user to a given network with a higher standard of encryption using a three-way exchange of a “secret.”

First, the local router sends a “challenge” to the remote host, which then sends a response with an MD5 hash function. The router matches against its expected response (hash value), and depending on whether the router determines a match, it establishes an authenticated connection—the “handshake”—or denies access.

It is inherently more secure than PAP, as the router can send a challenge at any point during a session, and PAP only operates on the initial authentication approval.

iii. Extensible Authentication Protocol (EAP)

This protocol supports many types of authentication, from one-time passwords to smart cards. When used for wireless communications, EAP is the highest level of security as it allows a given access point and remote device to perform mutual authentication with built-in encryption. It connects users to the access point that requests credentials, confirms identity via an authentication server, and then makes another request for an additional form of user identification to again confirm via the server—completing the process with all messages transmitted, encrypted.