Authentication

Authentication answers the question "Who are you?" It's the first step in access control, followed by authorization (what you can do) and accounting (logging your actions).

Why it matters

• Without authentication, anyone could access sensitive systems and data.
• Weak authentication is the root cause of most data breaches.
• Compliance frameworks (HIPAA, PCI-DSS, SOC 2) require strong authentication controls.
• Modern zero-trust architectures rely on continuous authentication.

Authentication factors

• Something you know: Passwords, PINs, security questions.
• Something you have: Security keys, authenticator apps, smart cards, SMS codes.
• Something you are: Biometrics like fingerprints, facial recognition, iris scans.
• Somewhere you are: Location-based verification, IP restrictions.
• Something you do: Behavioral biometrics like typing patterns.

Common authentication methods

• Password-based: Most common but weakest—vulnerable to phishing, credential stuffing.
• Multi-factor authentication (MFA): Combines two or more factors for stronger security.
• Single sign-on (SSO): One login grants access to multiple applications.
• Certificate-based: Uses digital certificates for mutual authentication.
• Token-based: JWTs, OAuth tokens for stateless authentication.
• Passwordless: FIDO2/WebAuthn security keys, magic links, biometrics.

Best practices

• Implement MFA everywhere, especially for privileged accounts.
• Use password managers and enforce strong password policies.
• Prefer phishing-resistant methods like hardware security keys.
• Monitor for credential stuffing and brute force attacks.
• Implement account lockout and rate limiting.