While encryption is the process of taking all of the data that one computer is sending to another and encoding it into a form that only the other computer will be able to decode, authentication is the process of determining whether someone or something is, in fact, who or what it declares itself to be.
Authentication technology provides access control for systems by checking to see if a user's credentials match the credentials in a database of authorized users or in a data authentication server. The word “authentication” comes from the Greek word “αυθεντικός” (authentikos) which means “real, genuine”.
Basically, if information is "authentic," you know who created it and you know that it has not been altered in any way since that person created it. These two processes, encryption and authentication, work hand-in-hand to create a secure environment. Authentication is important because it enables organizations to keep their networks secure by permitting only authenticated users (or processes) to access its protected resources.
Once authenticated, a user or process is usually subjected to an authorization process to determine whether the authenticated entity should be permitted access to a protected resource or system. A user can be authenticated but fail to be given access to a resource if that user was not granted permission to access it.
The terms authentication and authorization are often used interchangeably but they are two distinct functions. While authentication is the process of validating the identity of a registered user before allowing access to the protected resource, authorization is the process of validating that the authenticated user has been granted permission to access the requested resources. The authentication process always comes before the authorization process.
How user authentication works
During authentication, credentials provided by the user are compared to those on file in a database of authorized users either on the local operating system or through an authentication server. If the credentials match, and the authenticated entity is authorized to use the resource, the process is completed and the user is granted access.
Traditionally, authentication was accomplished in house by the systems or resources being accessed. A server would authenticate users using its own password system, implemented locally, using login IDs (user names) and passwords. Knowledge of the login credentials was assumed to guarantee that the user is authentic. But this is mostly history.
In the modern, distributed environments, encryption is achieved through HTTPS protocol which is stateless. This means that no information is retained by either sender or receiver, which in turn would require end-users to authenticate each time they access a resource using HTTPS. That would be time consuming and would frustrate the users. Instead, protected systems rely on token-based authentication, in which authentication is performed once at the start of a session. The authenticating system issues a signed authentication token to the end-user application, and that token is appended to every request from the client.
Authenticating a user with a user ID and a password is usually considered the most basic type of authentication, and it depends on the user knowing two pieces of information: the user ID or username, and the password. Since this type of authentication relies on just one authentication factor, it is a type of single-factor authentication.
An authentication factor represents some piece of data or attribute that can be used to authenticate a user requesting access to a system. An old security adage has it that authentication factors can be "something you know, something you have or something you are." These three factors correspond to the knowledge factor, the possession factor and the inherence factor.
Knowledge factor: "Something you know." The knowledge factor may be any authentication credentials that consist of information that the user possesses, including a personal identification number (PIN), a user name, a password or the answer to a secret question.
Possession factor: "Something you have." The possession factor may be any credential based on items that the user can own and carry with them, including hardware devices like a security token or a mobile phone used to accept a text message or to run an authentication app that can generate a one-time password or PIN.
Inherence factor: "Something you are." The inherence factor is typically based on some form of biometric identification, including finger or thumb prints, facial recognition, retina scan or any other form of biometric data.
The two-factor authentication (2FA) provides an extra layer of protection and requires that a user provide a second authentication factor in addition to the password. 2FA systems often require the user to enter a verification code received via text message on a preregistered mobile phone, or a code generated by an authentication application.
User authentication vs. machine authentication
Machines also need to authorize their automated actions within a network. Machine authentication is the authorization of an automated human-to-machine or machine-to-machine (M2M) communication through verification of a digital certificate or digital credentials. Machine identities, such as digital certificates, are used in machine authorization are like a form of digital passport providing trusted identification for the purpose of securely exchanging information over the Internet.
A digital certificate, also known as a public key certificate, is used to cryptographically link ownership of a public key with the entity that owns it. Digital certificates are used for sharing public keys to be used for encryption and authentication. Digital certificates include the public key being certified, identifying information about the entity that owns the public key, metadata relating to the digital certificate and a digital signature of the public key created by the issuer of the certificate. The distribution, authentication and revocation of digital certificates are the primary purposes of the public key infrastructure (PKI), the system by which public keys are distributed and authenticated.
Public key cryptography depends on key pairs: one a private key to be held by the owner and used for signing and decrypting, and one a public key that can be used for encryption of data sent to the public key owner or authentication of the certificate holder's signed data. The digital certificate enables entities to share their public key in a way that can be authenticated. The vast majority of digital certificates are issued by a certificate authority (CA). CAs are considered trusted third parties in the context of a PKI. Using a trusted third party to issue digital certificates enables individuals to extend their trust in the CA to the trustworthiness of the digital certificates that it issues.
A digital signature is basically a way to ensure that an electronic document is authentic. The Digital Signature Standard (DSS) is based on a type of public-key encryption method that uses the Digital Signature Algorithm (DSA). DSS is the format for digital signatures that has been endorsed by the U.S. government. The DSA algorithm consists of a private key, known only by the originator of the document (the signer), and a public key. If anything at all is changed in the document after the digital signature is attached to it, it changes the value that the digital signature compares to, rendering the signature invalid.
Types of Digital Certificates
There are three different types of digital certificates used by web servers and web browsers to authenticate over the internet. These certificates are usually referred to as SSL certificates even though the SSL protocol has been superseded by the Transport Layer Security (TLS) protocol.
Domain Validated (DV) certificates offer the least amount of assurance about the holder of the certificate. Applicants for DV certificates need only demonstrate that they have the right to use the domain name. While these certificates can give assurance that data is being sent and received by the holder of the certificate, they give no guarantees about who that entity is.
Organization Validated (OV) certificates provide additional assurances about the holder of the certificate; in addition to confirming that the applicant has the right to use the domain, OV certificate applicants undergo additional confirmation of their ownership of the domain.
Extended Validation (EV) certificates are issued only after the applicant is able to prove their identity to the satisfaction of the CA. The vetting process includes verification of the existence of the entity applying for the certificate, verifying that identity matches official records, verifying that the entity is authorized to use the domain and confirming that the owner of the domain has authorized the issuance of the certificate.
With the increasing number of internet-enabled devices, reliable machine authentication is crucial to enable secure communication for home automation and other internet of things applications, where almost any entity or object may be made addressable and able to exchange data over a network. It is important to realize that each access point is a potential intrusion point. Each networked device needs strong machine authentication and also, despite their normally limited activity, these devices must be configured for limited permissions access as well, to limit what can be done even if they are breached.