Authentication

What’s Authentication all about?

Sure, we’ll get to what authentication, also called Authn, actually means. But before that, let’s establish the context trying to understand why and where it’s needed. Some of you might think the reverse approach is more logical. Maybe, but let’s just get on with it.

So, more often that not, websites and mobile applications these days ask you to sign with your email address or your Facebook account. Each of this has a specific terminology and concept covered in separate chapters. Nevertheless, why do websites ask you to sign in? It wasn’t the case a decade ago. Changing tectonics in digital business today has made it imperative for companies to focus on interactions with customers through the digital medium rather than completely relying on the traditional offline route. And so to ensure that customers and businesses are able to interact through the website or mobile application, companies need to authenticate them. By authenticating visitors, businesses make sure people at the other end are recognized and real. Both of these are necessary conditions to a useful customer interaction.

What actually is Authentication?

Let’s go over the basic processes of signing in considering everyone has surely signed in somewhere and is aware of it. For instance, you seek access to your Gmail account. There are a billion accounts on Gmail which counts to a billion different inboxes. When you want to open your inbox, Gmail must decipher which inbox belongs to you. That is through your unique email address and password. The right combination unlocks your inbox. And this unlocking part precisely is the process of authentication. When you present your credentials to Gmail, it has check your credentials with that stored on its servers. If there is a match, you go through. Or technically, you are authenticated. Of course, it doesn’t end with just simple matching. There’s a lot more than that. But at the basic level, this is a good understanding of authentication.

Authentication vs Authorization

If you have heard of authentication, you surely would have heard of Authorization. A lot of people get confused between the two. But think of it this way: If authentication is the first step, authorization is the step that follows it. Let’s imagine a situation. There’s a business with an internal network on which certain resources are stored. But all employees may not have access to all resources. Access depends on hierarchy. The CEO would have access to all resources but the mid level employees only have access to certain resources. However, all employees - by virtue of being employees of the company - have the ability to login to the network using their credentials providing to them by the company. The process when an employee logs into the network is the authentication or Authn step. And what resources to make available to the logged in employee for use is the step of authorization or Authz. For instance, once authenticated, the employee can be recognized since that’s the purpose of authentication. If the authenticated employee is the CEO, the authorization step decides that he or she should be granted access to the entire network resources. That’s the difference between authentication and authorization. Of course, it goes without saying that both authentication and authorization follow multiple different protocols. The key is not to confuse each of them.

Can authentication a strong mechanism?

This is an important question. In a brick and mortar store, the owner sees you physically and can recognize you as a legitimate person. In simple stores, the only pre-condition is that you are a person and you have enough cash on you. If you are opening a bank account, you being physically present at the bank is a necessary condition but not sufficient. You must also present some documents to support yourself and let the bank recognize you as a legitimate person. But, on the internet, the opposite party - like Gmail or Facebook or any business website - can’t see you or recognize you directly. This is why there is an authentication step in place. But is authentication strong enough to boldly claim that the authenticated person is really the same person and not some imposter.

Currently, authentication systems broadly use password based logins. For low value accounts, this works. Of course, if someone else learns your username and password, they can login to your account. That’s the problem with password based authentication. And so, authentication mechanisms are now getting stronger adding various other factors. The most common is the multi-factor authentication. You present your username and password but that’s not enough to log you in. The second layer consists of a PIN or any security code sent to you directly on your phone or email which is required to finally sign you in. The probability that someone has your credentials and your phone or email is much lesser, hence better security. Such measures are usually employed for high value accounts though two factor authentication methods are being employed for some low value accounts as well. However, even in case of accounts like email and social networking, some environmental data, like the most commonly used device, are being recorded to notify the account holder in case of abnormal activity. This is generally just stronger authentication. But in spite of all these measures, an online account can never be truly secure and unbreachable. It’s just the probability that can be reduced. You would have recognized by now that the purpose of authentication is to recognize a person based on available data. This data makes the process secure.

What are authentication methods?

There are several authentication methods in use. Some have become primitive now and are only used by a few. Methods like Kerberos and NTLM are still used but are not the buzzwords in the world of authentication today. We’ll briefly mention some types of authentication from the point of businesses and customer experience. It has become imperative for businesses to provide Social Login to their customers so they can bring their own identities and don’t have to remember another set of username and password. Or Single Sign-On to use the same identity across multiple properties. A common idea across these is the use of a single identity across multiple properties and platforms without even asking of the customer to login multiple times. For this purpose, there are several methods like SAML Authentication. The single identity is the property of the identity provider whereas properties where that identity is used are the service providers. Authentication is carried out only once and subsequent logins are managed through SAML. In some cases, even JSON Web Tokens are based. These are essentially token based authentication systems. Authentication methods are many in number which makes it hard to explain all of them in a limited space like this. However, suffice to say that token based authentication is something in vogue now.