What is authentication?
Learn how the identities of people, apps, and services are verified before they’re given access to digital systems and resources.
Authentication is the process that companies use to confirm that only the right people, services, and apps with the right permissions can get organizational resources. It’s an important part of cybersecurity because a bad actor’s number one priority is to gain unauthorized access to systems. They do this by stealing the username and passwords of users that do have access. The authentication process includes three primary steps:
- Identification: Users establish who they are typically through a username.
- Authentication: Typically, users prove they are who they say they are by entering a password (something only the user is supposed to know), but to strengthen security, many organizations also require that they prove their identity with something they have (a phone or token device) or something they are (fingerprint or face scan).
- Authorization: The system verifies that the users have permission to the system that they’re attempting to access.
Why is authentication important?
Authentication is important because it helps organizations protect their systems, data, networks, websites, and applications from attacks. It also helps individuals keep their personal data confidential, empowering them to conduct business, such as banking or investing, online with less risk. When authentication processes are weak, it’s easier for an attacker to compromise an account either by guessing individual passwords or tricking people into handing over their credentials. This can lead to the following risks:
How authentication works
For people, authentication involves setting up a username, password, and other authentication methods, such as a facial scan, fingerprint, or PIN. To protect identities, none of these authentication methods are saved to the service’s database. Passwords are hashed (not encrypted) and the hashes are saved to the database. When a user enters a password, the entered password is also hashed, then the hashes are compared. If the two hashes match, then access is granted. For fingerprints and facial scans, the information is encoded, encrypted, and saved on the device.
Types of authentication methods
In modern authentication, the authentication process is delegated to a trusted, separate identity system, as opposed to traditional authentication where each system verifies identifies itself. There has also been a shift in the type of authentication methods used. Most applications require a username and password, but as bad actors have gotten savvier at stealing passwords, the security community has developed several new methods to help protect identities.
Password-based authentication is the most common form of authentication. Many apps and services require people to create passwords that use a combination of numbers, letters, and symbols to reduce the risk that a bad actor will guess them. However, passwords also create security and usability challenges. It’s difficult for people to come up with and memorize a unique password for each of their online accounts, which is why they often reuse passwords. And attackers use many tactics to guess or steal passwords or lure people into sharing them unwillingly. For this reason, organizations are moving away from passwords to other more secure forms of authentication.
Certificate-based authentication is an encrypted method that enables devices and people to identify themselves to other devices and systems. Two common examples are a smart card or when an employee’s device sends a digital certificate to a network or server.
In biometric authentication, people verify their identity using biological features. For example, many people use their finger or thumb to sign in to their phones, and some computers scan a person’s face or retina to verify their identity. The biometric data is also linked to a specific device, so attackers can’t use them without also gaining access to the device. This type of authentication is increasingly popular because it’s easy for people—they don’t have to memorize anything—and it’s difficult for bad actors to steal, making it more secure than passwords.
In token-based authentication both a device and the system generate a new unique number called a time-based one-time PIN (TOTP) every 30 seconds. If the numbers match, the system verifies that the user has the device.
One-time passwords (OTP) are codes generated for a specific sign-in event that expire shortly after they’re issued. They are delivered via SMS messages, email, or a hardware token.
Some apps and services use push notifications to authenticate users. In these instances, people receive a message on their phone asking them to approve or deny the access request. Because sometimes people accidentally approve push notifications even though they are trying to sign in to the services who sent the notification, this method is sometimes combined with an OTP method. With OTP the system generates a unique number that the user has to enter. This makes the authentication more phishing resistant.
In voice authentication, the person trying to access a service receives a phone call, in which they’re asked to enter a code or identify themselves verbally.
One of the best ways to cut down on account compromise is to require two or more authentication methods, which may include any of the previously listed methods. An effective best practice is to require any two of the following:
- Something the user knows, typically a password.
- Something they have, such as a trusted device that is not easily duplicated, like a phone or hardware token.
- Something the user is, like a fingerprint or face scan.
For example, many organizations ask for a password (something the user knows) and also send an OTP via SMS to a trusted device (something the user has) before allowing access.
Although authentication, sometimes referred to as AuthN, and authorization, sometimes referred to as AuthZ, are often used interchangeably, they are two related but separate things. Authentication confirms that the user signing in is who they say they are, while authorization confirms they have the right permissions to access the information they want. For example, someone in human resources might have access to sensitive systems, such as payroll or employee files, that others can’t see. Both authentication and authorization are critical for enabling productivity and protecting sensitive data, intellectual property, and privacy.
Best practices for authentication security
Because account compromise is such a common way for attackers to gain unauthorized access to a company’s resources, it’s important to institute strong authentication security. Here are a few things you can do to protect your organization:
Implement multifactor authentication
The most important thing you can do to reduce your risk of account compromise is to turn on multifactor authentication and require at least two authentication factors. It’s much more difficult for attackers to steal more than one authentication method, especially if one of those is a biometric or something that a user has on their possession like a device. To make it as simple as possible for employees, customers, and partners, give them a choice of several different factors. Although it’s important to note that not all authentication methods are equal. Some are more secure than others. For example, while receiving an SMS is better than nothing, a push notification is more secure.
Once you set up multifactor authentication, you can even choose to limit the use of passwords and encourage people to use two or more other authentication methods, such as a PIN and biometrics. Reducing the use of passwords and going passwordless will streamline the sign-in process and reduce your risk of account compromise.
Apply password protection
In addition to employee education, there are tools that you can use to reduce the use of easy-to-guess passwords. Password protection solutions enable you to ban commonly used ones like Password1. And you can create a custom list that is specific to your company or region, such as the names of local sports teams or landmarks.
Enable risk-based multifactor authentication
Some authentication events are indicators of a compromise, such as when an employee tries to access your network from a new device or strange location. Other sign-in events may not be atypical but are higher risk, such as when a human resources professional needs to access employee personally identifiable information. To reduce your risk, configure your identity and access management (IAM) solution to require at least two authentication factors when it detects these types of events.
Effective security requires buy-in from employees and other stakeholders. Security policies can sometimes prevent people from engaging in risky online activities, but if policies are too onerous, people will find a workaround. The best solutions accommodate realistic human behavior. Deploy features like self-service password reset to eliminate the need for people to call helpdesk when they forget a password. This may also encourage them to choose a strong password since they know it will be easy to reset if they forget it later. Letting people choose which authorization method they prefer is another good way to make it easier for them to sign in.
Deploy single sign-on
One great feature that enhances usability and improves security is single sign-on (SSO). Nobody likes being asked for a password every time they switch apps and may be encouraged to use the same password across multiple accounts to save time. With single sign-on, employees only need to sign in once to access most or all of the apps they need for work. This reduces friction, and it allows you to apply universal or conditional security policies, like multifactor authentication, to all of the software employees use.
Use the principle of least privilege
Limit the number of privileged accounts based on roles and give people the least amount of privilege necessary to do their jobs. Establishing access control helps ensure that fewer people can get to your most critical data and systems. When someone does need to perform a sensitive task, use privileged access management, such as just-in-time activation with time durations, to further reduce your risk. It also helps to require that administrative activities are only performed on very secure devices that are separate from the computers people use for day-to-day tasks.
Assume breach and conduct regular audits
In many organizations, people’s roles and employment status change regularly. Employees leave the company or switch departments. Partners roll on and off projects. This can be a problem when access rules don’t keep pace. It’s important to ensure that people don’t retain access to systems and files that they no longer need for their job. To reduce the risk that an attacker gets a hold of sensitive information, use an identity governance solution to help you consistently audit your accounts and roles. These tools also help you ensure that people only have access to what they need and that accounts for people who have left the organization are no longer active.
Protect identities from threats
Identity and access management solutions offer many tools to help you reduce the risk of account compromise, however, it’s still smart to anticipate a breach. Even well-educated employees sometimes fall for phishing scams. To catch account compromise early, invest in identity threat protection solutions and implement policies that help you uncover and respond to suspicious activity. Many modern solutions, such as Microsoft Security Copilot, use AI to not only detect threats but automatically respond to them.
Cloud authentication solutions
Authentication is critical to both a strong cybersecurity program and in enabling worker productivity. A comprehensive cloud-based identity and access management solution, like Microsoft Entra, provides you tools to help people easily get what they need to do their jobs while applying powerful controls that reduce the risk that attackers will compromise an account and gain access to sensitive data.
Learn more about Microsoft Security
Microsoft Entra ID
Safeguard your organization with identity and access management (formerly known as Azure Active Directory).
Microsoft Entra ID Governance
Automatically ensure that the right people have the right access to the right apps at the right time.
Microsoft Entra Permissions Management
Get one unified solution to manage the permissions for any identity across your multicloud infrastructure.
Microsoft Entra Verified ID
Decentralize your identities with a managed verifiable credentials service based on open standards.
Microsoft Entra Workload ID
Manage and secure the identities granted to apps and services.
Frequently asked questions
There are many different types of authentication. A few examples are:
- Many people sign in to their phones using facial recognition or a thumbprint.
- Banks and other services often require people to sign in using a password plus a code that’s sent automatically via SMS.
- Some accounts just require a username and a password, although many organizations are moving toward multifactor authentication to increase security.
- Employees often sign in to their computer and gain access to several different apps at the same time, which is known as single sign-on.
- There are also accounts that allow users to sign in using a Facebook or Google account. In this instance, Facebook, Google, or Microsoft is responsible for authenticating the user and passing authorization onto the service the user wants to access.
Cloud authentication is a service that confirms that only the right people and apps with the right permissions can gain access to cloud networks and resources. Many cloud apps have built-in authentication that is cloud-based, but there are also broader solutions, such as Azure Active Directory, that are designed to handle authentication across multiple cloud apps and services. These solutions typically use the SAML protocol to enable one authentication service to work across multiple accounts.
Although authentication and authorization are often used interchangeably, they are two related but separate things. Authentication confirms that the user signing in is who they say they are, while authorization confirms they have the right permissions to access the information they want. Used together, authentication and authorization help reduce the risk that an attacker will gain access to sensitive data.
Authentication is used to verify that people and entities are who they say are before providing them with access to digital resources and networks. Although the primary goal is security, modern authentication solutions are also designed to improve usability. For example, many organizations implement single sign-on solutions to make it simple for employees to find what they need to do their jobs. Consumer services often allow people to sign in using their Facebook, Google, or Microsoft Account to speed up the authentication process.