Glossary / Authentication

Authentication

Authentication in cybersecurity refers to verifying the identity of a user, device, or system, ensuring that access to resources is granted only to those who are authorized.

Put another way, authentication is about ensuring individuals and systems are who they claim to be before granting them access to resources. It’s the first layer of defense against unauthorized access and plays a critical role in protecting sensitive information.

The four categories of authentication: Traditional, identity-based, modern, and adaptive

There are several authentication strategies, each of which falls into one of four categories: traditional, modern, identity-based, and adaptive authentication. Each strategy offers different solutions and levels of security depending on the context and needs.

Traditional authentication: What it is and how it works

Traditional types of user authentication in IAM typically include methods that rely on knowledge-based factors. The user provides a single factor of authentication to verify their identity — something they, typically a username and password.

How does modern traditional authentication work?

Traditional authentication is a straightforward process: the user enters a username (or identifier) and password into an authentication system. Commonly people login to a website, application, or system by entering their identitifeir and password. The system then compares the credentials against a stored record in a database. Access is granted if the credentials match what’s stored in the database.

The following are considered methods of traditional authentication:

Password-based authentication: A basic method that uses a username and password to identify a user.

PIN (Personal Identification Number): Similar to passwords, PINs are short numeric codes often used in contexts like mobile device access or ATM transactions. While convenient, they’re less secure if not used with additional protections.

Security questions: Users answer pre-set personal questions to verify their identity, especially during password recovery. This method is relatively weak because personal answers may be guessed or obtained through social engineering.

Single-factor authentication (SFA): Any authentication relying on only one factor — typically a password or PIN — is considered traditional and less secure than modern multi-factor approaches (we’ll get to those below, so keep reading!)

These traditional methods remain foundational in IAM but are increasingly supplemented by modern methods due to their vulnerability to evolving cybersecurity threats.

Modern authentication: What it is and how it works

Modern authentication involves more advanced techniques for verifying identities than traditional authentcation. Typically, these techniques leverage multi-factor authentication (MFA) and single sign-on (SSO) technologies.

How does modern authentication work?

Unlike the older, tried-and-true methods we looked at in basic authentication, modern authentication integrates cryptographic methods, secure tokens, and contextual data (like the user’s device and location) to create more secure access methods.

With sophisticated identity verification mechanisms, modern authentication does a better job at protecting against cybersecurity threats and provides a more efficient and secure user experience that has fewer points of friction.

Microsoft’s Entra ID (formerly Azure AD) is an example of modern authentication. Entra ID uses MFA, SSO, and conditional access policies to help businesses secure access to their resources.

Types of modern authentication

Modern types of user authentication in IAM are designed to enhance security and usability by moving beyond traditional, knowledge-based methods. Here are some commonly used modern authentication methods:

Single sign-on (SSO)
Single sign-on (SSO) authenticates a user once, which then allows them to access multiple applications or systems without re-entering credentials. SSO enhances user experience and reduces password fatigue while maintaining security.

Multi-factor authentication (MFA)
Multi-factor authentication is more secure than password-based authentication alone because it needs at least two factors to verify the person’s identity. This is often done using a combination of:

  • Something you know (like a username and password)
  • Something you have (like your phone or a hardware token)
  • Something you “are” (like your fingerprint or facial recognition)

The Cybersecurity and Infrastructure Security Agency (CISA) states that “the use of MFA on your accounts makes you 99% less likely to be hacked.”

Biometric authentication
Uses unique biological traits like fingerprints, facial recognition, retina scans, or voice recognition for authentication. Biometrics are difficult to replicate, making them highly secure, and are widely used in smartphones and physical access controls.

Token-based authentication
Digital tokens (like JWTs or OAuth tokens) are used as proof of identity. This method is commonly used in APIs and web applications, where users authenticate once and are granted a token for ongoing access, improving both security and user experience.

Certificate-based authentication
Relies on digital certificates that use public and private keys for identity verification. Common in enterprise environments, certificates ensure secure, encrypted communication and are often used for VPNs and email encryption.

Passwordless authentication
Passwordless authentication is a newly emerging way to verify identity without using passwords at all. It improves security by reducing the risks associated with password management. Several methods of passwordless are increasingly being adopted, including:

  • One-time passcodes (OTP) sent via email or SMS
  • Magic links are sent to an email that automatically logs the user in
  • Authenticator apps that generate time-based passcodes
  • Biometric data or hardware keys (e.g., FIDO2 security keys)
  • These modern methods are designed to improve security, reduce reliance on passwords, and adapt to users’ needs and behaviors while safeguarding against increasingly sophisticated cyber threats.

Identity-based authentication: What it is and how it works

Identity authentication connects digital identities to verified individuals, minimizing the risk of unauthorized access. It plays a crucial role in safeguarding personal data, managing identity-based access permissions, and ensuring compliance with data privacy regulations. Below are some common identity-based authentication methods:

Facial recognition technology, such as Apple’s Face ID, is a well-known example of identity authentication. It authenticates users by scanning their faces before granting access to their iPhones or applications.

Identity authentication links digital identities to verified individuals, reducing the chance of unauthorized use. This type of authentication is increasingly critical in protecting personal data, managing identity-based permissions, and ensuring compliance with data privacy regulations.

Here are some identity-based authentication methods:

Identity federation
Identity federation enables users to authenticate once using their identity with an identity provider (IDP) and gain access to multiple services without re-authenticating. Federated identity management often leverages standards like SAML or OpenID Connect, allowing users to use one trusted identity across multiple domains.

Identity assertion via OAuth/OpenID connect
Identity assertion protocols like OAuth and OpenID Connect are widely used for third-party logins (e.g., “Sign in with Google”). These protocols verify the user’s identity from a trusted provider, passing an authenticated identity assertion to other applications.

Biometric authentication
This method uses unique biological or behavioral characteristics to authenticate users. Common types of biometric authentication include:

  • Fingerprint scanning
  • Facial recognition
  • Iris or retina scanning
  • Voice recognition
  • Behavioral biometrics (such as typing patterns or gait analysis) Biometrics provide high security because they are unique to each individual and difficult to replicate.

Certificate-based authentication
Certificate-based authentication relies on digital certificates as proof of identity. Each user or device has a unique digital certificate (usually linked to a public-private key pair), which verifies identity without needing additional credentials. This method is commonly used in enterprise networks, secure emails, and VPNs.

Smart cards and security tokens
These methods involve physical tokens that contain embedded data unique to the user’s identity. Examples include:

  • Smart cards that users insert into a device reader
  • Hardware security tokens like YubiKeys or RSA SecurID tokens. These tokens are “something the user has” and are highly secure because they are tied to a specific user.

Identity-based authentication methods ensure access is tied to unique characteristics or trusted identity assertions, making it difficult for unauthorized users to gain access, even if they obtain other credentials. These methods are especially valuable in environments requiring high security, like corporate networks or sensitive data systems.

Adaptive authentication: What it is and how it works

Adaptive authentication, also known as “risk-based authentication” or “risk-based MFA,” is a dynamic, multi-factor form of MFA. It’s a flexible security approach that tailors the authentication process based on real-time risk assessments.

By analyzing factors like a user’s location, device, behavior, and overall risk profile, it decides whether to grant access and if extra verification is required. For example, detecting an unusual login attempt can prompt additional verification steps. This approach enhances security by proactively addressing potential risks in real-time.
Adaptive authentication and modern authentication are similar in cybersecurity and identity and access management, but they serve different purposes and are implemented in distinct ways.

Adaptive authentication provides several key advantages in our complex digital environment:

  • Enhanced security: By analyzing user behavior, context, and device characteristics, adaptive authentication ensures that access is only provided to legitimate users while effectively preventing unauthorized attempts.
  • Improved user experience: Unlike traditional methods that require multiple security steps for every access, adaptive authentication streamlines the process for trusted scenarios. Users may only face additional steps when an anomaly is detected, making the experience smoother.
  • Real-time threat detection: Adaptive authentication systems can instantly detect and respond to potential threats, adjusting authentication levels to ensure proactive security.

Types of adaptive authentication

An example of adaptive authentication would be if a user is attempting to access their account from an unfamiliar location or device, the system might prompt them for additional authentication, such as an OTP (one-time password) or biometric verification. Other forms of adaptive authentication include:

Contextual authentication
Contextual authentication is a specialized form of adaptive authentication that evaluates the context of a login attempt — such as time, device type, and network — to determine the appropriate level of security. It balances security and convenience by aligning with the user’s regular behavior patterns. Other contexts could include:

  • Geolocation: Checks whether the user’s current location aligns with their usual login patterns or past locations. If the location seems unusual, the system may ask for extra verification.
  • Device recognition: Determines if the login is coming from a recognized device. Additional authentication steps might be required if the device is unfamiliar or hasn’t previously been used.
  • IP address monitoring: Verifies whether the login originates from a trusted IP address. Suspicious or untrusted IP addresses can prompt further security checks.
  • Time of access: Flags login attempts occurring at odd hours, such as late at night or outside typical activity windows, as potentially risky.
  • Browser and OS fingerprinting: Confirms that the browser, operating system, or user-agent details match what the user typically uses. Any inconsistencies might trigger extra security measures.

Behavioral biometrics
Behavioral biometrics monitors and evaluates unique user actions, like typing speed, mouse movements, or how they navigate a screen. If these behaviors differ noticeably from the usual patterns, the system might request additional verification.

Machine learning and AI-driven risk analysis
Machine learning and AI-driven risk analysis sses AI to analyze historical data and determine risk scores based on factors like login patterns, location, and behavior. If the system detects an anomaly or assigns a high-risk score, it may require additional authentication, such as MFA.

Multi-factor authentication (MFA) triggers based on risk
Adaptive authentication can adjust MFA requirements based on real-time risk assessment. For example, if a login attempt appears low-risk (e.g., from a familiar device in a known location), MFA may not be required. However, if the login appears high-risk, the system may prompt for MFA or escalate to additional security checks.

Step-up authentication
A form of adaptive authentication that only requires higher security (like biometrics or additional factors) when a user attempts to access sensitive resources or high-security applications. For example, accessing payroll information may prompt a fingerprint scan, while general login may not.

Behavioral analysis for continuous authentication
In some adaptive systems, user behavior is continuously monitored even after initial login, using patterns like browsing habits, mouse movements, and activity patterns to ensure the user remains the same throughout the session.

Adaptive authentication offers a balance between security and user convenience by increasing security measures only when necessary, providing a seamless experience while protecting against unauthorized access.

What are the challenges and industry adoption of adaptive authentication?

Implementing adaptive authentication is easier said than done. Hurdles such as ensuring a balance between robust security and ease of use, along with managing the costs associated with advanced analytics can be difficult to manage for some organizations.

However, the trend is growing rapidly across industries like finance, healthcare, and e-commerce, as these organizations recognize the importance of protecting sensitive information like personal health information (PHI), personally identifiable information (PII), and payment card industry (PCI) data against rising cybersecurity threats.

Ultimately, adaptive authentication — when combined with identity and modern authentication tools — is the optimal solution for secure, flexible, and responsive digital access.

Combining modern, identity, and adaptive authentication

Combining all three methods – modern, identity, and adaptive authentication – creates a comprehensive strategy that effectively protects against various threats.

Identity authentication is all about strong individual verification methods, while modern authentication delivers advanced cryptographic and multi-factor techniques. Adaptive authentication brings continuous, real-time security assessments that adapt based on user context.

Together, these three methods of authentication help organizations secure their systems in a way that is both robust and user-friendly, providing a balance between a frictionless user experience and the highest level of security.

Modernize any app with any IDP in minutes. Join the 'Orchestration Kitchen' workshops.

Discover sessions
Previous Next