What is Authentication
Simply put, authentication is the process of identifying a user or a person when they try to access a resource. If you've ever had to show an ID before entering into a building, that's a form of authentication. Verifying if a user is who they say they are. And if you're not who you say you are, well that would be rather unfortunate.
Authentication vs Authorization
There is always confusion about the difference between authentication and authorization. Some may even think they mean the same thing. They do not, authentication is verifying a user's identity while authorization is verifying if an authenticated user has permission to access a particular resource or perform a certain action.
For example, on the popular social media app WhatsApp, authentication happens when you sign in with your phone number and a token (the OTP). But even if you are authenticated, you will not be allowed to add users to a group chat if you are not an admin, because you have not been authorized to do so. That authorization will happen when you have been made an admin.
Authentication Factors
An authentication factor is a category of security credentials that is used to verify a user who is trying to access a particular resource (a resource could be a mobile app or a website). There are different authentication factors, which are:
Knowledge Factor
This is an authentication category that is based on what the user knows. For example: username/email and password, security questions, PIN, etc.
Qualities Factor
This is an authentication factor that is based on what qualities or attributes the user has. For example: facial recognition, voice recognition, fingerprint detection, etc.
Possession Factor
This is an authentication factor that is based on what the user has in their possession. For example: a device to receive OTP, or a hardware device to generate a token to give access.
Location Factor
This is an authentication factor that is based on the location of the user trying to access the resource. For example: a mechanism that does not allow users from a specific location to use a website.
Now you must know that each of these authentication factors can be compromised, or in other words have their risks. The knowledge factor can be compromised when users use passwords or PINs that are easy to guess by attackers. The possession factor can be compromised when the device which the user uses to authenticate is stolen. And the list goes on. So it is important, to know the pros and cons of each factor and use an appropriate factor of the kind of resource you are trying to protect.
Multi-Factor Authentication (MFA) vs Two-Factor Authentication (2FA)
Before I continue, I must congratulate you on reading this far, a lot of people do not have this level of attention span.
You might not have heard of MFA, but I'm sure you heard about 2FA, and after the previous section on authentication factors, I'm sure things are starting to click in your head at this very moment. If they're not, it's perfectly fine, let's hop to it.
Two-factor authentication involves using examples from 2 different authentication factors to verify a user, for example, using username and password from the knowledge factor and OTP from the possession factor.
While multi-factor authentication involves using 2 different examples from any authentication factor, for example, using both username and password & security questions from the knowledge factor.
Authentication Strategies
As a software engineer, there are different strategies for implementing authentication. These are the different auth strategies, they will be discussed in better detail in an upcoming article.
Basic Authentication
Session Based
Token Based
JWT (JSON Web Tokens)
Single Sign On (SSO)
OAuth
If you learned something new, or like content like this be sure to leave a like or a comment. Thanks for reading, and see you soon!