Authentication

Authentication is the process of verifying the identity of a user, device, or system before granting access to resources.

Authentication answers "who are you?" and is distinct from authorization (what can you do).

Authentication factors: - Something you know: Password, PIN - Something you have: Phone, hardware token - Something you are: Biometrics (fingerprint, face)

Authentication methods: - Username/Password (basic, weakest) - Multi-Factor Authentication (MFA) - Single Sign-On (SSO) - Passwordless (FIDO2, passkeys) - Certificate-based

Modern authentication: - OpenID Connect for identity - OAuth 2.0 for authorization - SAML for enterprise SSO - Passkeys replacing passwords

Why It Matters

Weak authentication is the root cause of the majority of data breaches. Microsoft reports that MFA alone blocks 99.9% of automated attacks. Every compliance framework requires strong authentication controls, and enterprise customers expect SSO and MFA support as baseline requirements. Moving toward passwordless authentication reduces phishing risk while improving user experience.

Key Points

Verifies identity before granting access

MFA significantly improves security

Passwordless is the future direction

SSO centralizes authentication

Must be combined with authorization

Applicable Compliance Frameworks

SOC 2 ISO 27001 HIPAA PCI DSS GDPR

Related Terms

Multi-Factor Authentication (MFA)

MFA is a security mechanism requiring users to provide two or more verification factors to gain access, significantly reducing the risk of unauthorized access.

Single Sign-On (SSO)

SSO is an authentication method that allows users to access multiple applications with a single set of credentials, improving security and user experience.

Authorization

Authorization is the process of determining what actions or resources an authenticated user is permitted to access.