Authentication serves as a digital counterpart to the physical identity documents we use daily, such as passports, driver's licence, or ID cards. It serves as a foundational security feature in computer systems, verifying the identities of users, devices, or other entities. The role of an authentication system is to operate as a gatekeeper, deciding whether provided credentials are sufficient for access.

This process is familiar to anyone who logs into a workstation, enters a password on a mobile phone, or accesses services on servers, networks, and IoT devices. It also extends to the numerous mobile and web applications we use daily, both in personal and professional contexts.

Effective authentication systems are essential for maintaining secure access to digital resources. When these systems fail, they can potentially allow unauthorised access, leading to significant security breaches. Therefore, developers of these systems constantly work to balance user-friendliness with robust security measures. Over the years, authentication techniques have evolved from simple passwords to advanced, more secure passwordless alternatives like passkeys.

This article will delve into various authentication methods and protocols, offering an in-depth look for developers and CTOs keen on bolstering their security practices.

Authentication vs Authorization, What is the difference?

Though often used interchangeably, authentication and authorization represent distinct facets of access control in systems and applications. Both are essential, and they function complementarity to secure applications and systems.

Authentication: The Gatekeeper

Authentication is the first step in the security process. It acts as a gatekeeper by confirming a user's identity. This is typically achieved through methods like passwords, biometrics, or multi-factor authentication.

Authorization: Defining Access Levels

Once a user's identity is verified, authorization comes into play. This second step determines the level of access the user has within a system or application. Authorization specifies what users can do and which resources they can access, dictating permissions and roles.

In Summary

• Authentication verifies the identity of a user.
• Authorization determines the permissions a user has, influencing the operations they can perform and the resources they can access.

For those looking to delve deeper, further information on authorization protocols such as JWT (JSON Web Tokens) and access control mechanisms like RBAC (Role-Based Access Control) can be explored to enhance understanding and application of these concepts in your projects. 

Authentication Methods

Authentication methods vary widely, each suited to different contexts and requirements. Some methods are ideal for logging into workstations, while others are optimised for mobile devices or for authenticating servers and devices. Below, we explore some of the prevalent authentication techniques in use today.

Password based authentication

When most people think of authentication, password-based methods are typically what come to mind first. This method has deep roots in the history of computing, dating back to the 1960s with its use in the Massachusetts Institute of Technology’s Compatible Time-Sharing System (CTSS).

Initially, these systems were quite rudimentary, with passwords stored in plaintext. This simplicity, however, set the foundation for the advanced password-based authentication systems we rely on today. Modern implementations have evolved significantly, incorporating encrypted passwords, salted hashes, and multi-factor authentication to bolster security.

This evolution reflects the ongoing effort to adapt authentication methods to the changing landscapes of security threats and technological advancements. Each method has its strengths and is continually refined to ensure it meets the security needs of contemporary applications. 

Biometric Authentication 

Biometric authentication is a security process that relies on the unique biological characteristics of an individual to verify that they are who they say they are. This method of authentication is considered more secure than traditional methods like passwords and PINs because biometric traits are extremely difficult to replicate or steal compared to a password that can be guessed or hacked.

Here are some of the most commonly used forms of biometric authentication:

• Fingerprint Scanning: One of the most widespread and accepted forms of biometric authentication, used in everything from smartphones to high-security environments. It scans the ridges and valleys of a fingerprint to create a digital representation.
• Facial Recognition: This method uses the facial features of an individual to create a digital model, which is then used for verification purposes. Advancements in this technology, including 3D mapping and deep learning, have significantly increased its accuracy and reliability.
• Iris Recognition: Recognized for its high level of security, iris recognition scans the unique patterns in the coloured ring of an individual's eye. It is commonly used in critical security applications.
• Voice Recognition: This method analyses the voice patterns of an individual, including pitch, cadence, and tone. Voice recognition can be used for both authentication and user interface interaction.
• Hand Geometry: This form measures and records the shape, size, and structure of an individual’s hand. Hand geometry is relatively easy to use and has been employed in a variety of applications.
• Vein Recognition: A less common but highly secure technology that maps the vein patterns beneath the skin. This method is considered very secure due to the difficulty in replicating another person's vein pattern.

The process of biometric authentication involves several steps:

1. Enrollment: The first time a user sets up biometric authentication, the system records basic data about the specific trait (like a fingerprint or face scan). This data is transformed into a digital format and stored on a secure server or locally on the user’s device.
2. Capture: When authentication is required, the system captures a new sample of the biometric trait.
3. Extraction: Unique data is extracted from the captured sample and converted into a digital format.
4. Comparison: The new biometric data is compared to the stored data. If there is a match, access is granted.

Biometric authentication has very high security as it relies on unique traits and is also very convenient to use as you do not need to remember passwords. However, The storage and use of biometric data raise significant privacy issues. There is a risk of misuse if sensitive biometric data is compromised.

Where this authentication method where used in sectors with high security concerns, Smartphones have taken it to the public where it has increased in popularity because of its ease of use.

Smart card authentication

Smart cards are an example of hardware based authentication.

WIth this method the user's identity is verified using a smart card, which is a physical token typically similar in size and shape to a credit card. Smart cards are embedded with an integrated circuit chip that can process data. This capability allows the smart card to store information securely and to interact with a smart card reader to perform cryptographic operations. 

The process of smart card authentication typically involves several key steps:

1. Smart Card Issuance: The user is issued a smart card, onto which their credentials and other necessary security information are securely loaded. This information often includes a digital certificate, encryption keys, or even biometric data.
2. Card Reader Interaction: When authentication is required, the user inserts their smart card into a smart card reader or brings it into proximity if it is a contactless card.
3. Credential Verification: The smart card and the reader communicate to verify the user’s credentials. This is typically done using a PIN that the user enters (something they know), which unlocks the card to reveal secret information (something they have).
4. Cryptographic Processing: The card performs cryptographic operations such as generating a digital signature or encrypting/decrypting data to authenticate the user to a system. This step often involves a challenge-response mechanism where the card must prove it knows certain information without actually revealing it.
5. Authentication Confirmation: Once the process is successfully completed, access is granted. If there is any discrepancy in the credentials or the cryptographic operations fail, access is denied.

The security benefit of smart cards is that no data can be intercepted as it keeps sensitive data on the card.

Smart card authentication is widely used in corporate environments, government, and military settings, where security is a high priority, and also for personal identification schemes, such as national ID cards or passports. Its ability to combine physical token security with cryptographic techniques makes it a robust choice for ensuring secure access to systems and facilities.

Electronic identification (E-ID)

Electronic Identification, or E-ID, serves as a digital counterpart to official identification documents. It's primarily employed by banks and public authorities to authenticate individuals' identities over the internet. This method is crucial for conducting official transactions, signing documents, managing medical records, and accessing various government services.

Different countries have adopted E-ID systems under various names, tailoring them to their specific regulatory and technological environments. Some notable examples include:

• BankID: Widely used in Norway and Sweden for secure digital transactions, healthcare, and government service.
• DigiID: Utilised in the Netherlands to facilitate citizen interactions with government services.
• eIDAS: A framework deployed across the European Union to ensure secure and mutual recognition of electronic identifications.
• Aadhaar: India’s approach to providing a unique identity number to every resident.
• SingPass: Singapore's method for accessing a wide range of government services online.
• GOV.UK Verify: The United Kingdom’s platform for proving one’s identity when using government services.
• SPID: Italy’s system for accessing public administration services.
• Mobile-ID: Used in Estonia and Lithuania, integrating mobile technology for secure personal identification.

E-ID aims to replicate the trustworthiness of physical IDs in the digital realm. It has proven highly effective in streamlining and securing access to public digital services in numerous countries. By offering a reliable means of digital identification, E-ID systems significantly enhance the convenience and security of online interactions between governments, businesses, and citizens.

Passkeys

Passkeys are a new form of user authentication designed to replace traditional passwords with a more secure and user-friendly solution. Developed as part of the broader push towards a passwordless future, passkeys aim to provide a secure way to authenticate users by relying on cryptographic techniques. They are supported by major technology companies and standards organisations like Apple, Google, Microsoft, and the FIDO Alliance.

The key feature of passkeys is that it is completely passwordless and the authentication is done with a cryptographic keypair where the server sends a challenge directly to your device which will be signed with you private key. This signed challenge is then sent back to the server for verification with a public key.

Although not widely adopted yet, passkeys has combined user friendliness with high security and it is an alternative that in the future will replace the traditional password based methods.

Two Factor Authentication and Multi Factor Authentication (MFA)

Two factor authentication(2FA)

Two factor authentication(2FA) also known as two-step verification you enhance the security of your system by requiring two types of  evidence that the user is who they claim to be. This makes unauthorised access to accounts significantly more difficult.

2FA requires two different factors from the following categories:

1. Something You Know: This is usually a password or PIN. It's a piece of information that the user is expected to remember.

2. Something You Have: This could be a physical token like a security key, a smart card, or a mobile device that can receive a text message or run a dedicated authentication app.

3. Something You Are: This refers to biometric identifiers, such as fingerprints, facial recognition, or iris scans.

In a typical 2FA setup, the user will first enter their username and password. Then, as a second step, they will be required to provide the second factor. For example, after entering a password, the system might prompt the user to enter a code sent via SMS to their mobile phone or generated by an authentication app.

Here are some examples of common 2FA implementations

• SMS-based 2FA: Sends a code to the user's registered phone number via text message.
• Authenticator Apps: Apps like Google Authenticator, Microsoft Authenticator, or Authy generate time-sensitive codes.
• Hardware Tokens: Devices that generate codes at the push of a button or that must be plugged into a computer (e.g., YubiKey).

The main advantage of 2FA is enhanced security. By requiring two types of information, it becomes much harder for potential intruders to gain unauthorised access, even if they have stolen your password.

2FA is widely recommended as an essential security measure for protecting sensitive personal and business accounts, especially those exposed to the internet. It's particularly crucial for banking, email, and social media accounts where unauthorised access could lead to significant harm or privacy breaches.

Nowadays It is also common that security certifications such as ISO27001 require 2FA in their audit protocol.

Multi factor Authentication(MFA)

MFA is an enhancement over 2FA where additional steps are required to authenticate. 

In addition to the three categories mentioned above for 2FA the following two can be mentioned:

Somewhere You Are: This less common factor involves location-based authentication. It could restrict access to a system based on the geographic location from which the access attempt is being made, verified through GPS or IP address.

Something You Do: This involves patterns of behavior that are unique to the individual, such as typing speed, the angle at which the device is held, or mouse movements. This is also part of behavioral biometrics.

Although additional steps make the Authentication more secure it might also cause friction in the user experience. Especially if the authentication method uses the categories somewhere you are and something you do. These might force you to redo the authentication process when you are on the move and temporarily have irregular usage patterns. Something that can disturb users significantly while they are using a service or system.

Authentication for Web and mobile applications

Different authentication methods are suited for various platforms, particularly when distinguishing between web and mobile applications. Selecting the right method can significantly enhance both security and user experience.

Web Applications

For desktop web applications, password-based authentication remains a staple, often bolstered by two-factor authentication (2FA) to add an additional layer of security. However, the future looks promising for passkeys, which are anticipated to bring substantial improvements in security and usability in the coming years.

Mobile Applications

Mobile devices offer a unique opportunity for employing biometric authentication. This method is highly advantageous as it reduces user friction and greatly improves security. Features like fingerprint scanning, facial recognition, and iris scanning make accessing mobile apps quicker and more secure.

E-ID Solutions for Robust Authentication

In cases where robust authentication is essential, such as in financial transactions or accessing sensitive personal data, Electronic Identification (E-ID) solutions are highly recommended. For example, in Sweden, services like banking, trading, and reseller platforms commonly utilize the E-ID solution Bank-ID, which provides a secure and verified method of user authentication.

Overall, the choice of authentication method should be aligned with the specific requirements and context of the application to ensure optimal security and user experience.

Social login

You might have heard the term Social logins. This term refers to allowing users to access applications using their existing accounts from social platforms or major technology companies. This method simplifies the login process by eliminating the need to create new account credentials specifically for your application.

How Social Logins Work

By integrating your application with providers like Apple, Microsoft, Meta, Google, LinkedIn, and others, you can leverage their robust security measures while reducing the effort required for users to sign up and log in. This not only enhances user convenience but also benefits from the advanced security protocols these large companies maintain.

Technical Foundations

Social logins are supported by modern authentication protocols such as OAuth 2.0 and OpenID Connect (OIDC). These protocols ensure that the authentication process is secure and that users’ data is handled appropriately, allowing for safe and efficient user authentication and authorization.

Incorporating social login into your application can significantly enhance user experience by minimizing barriers to entry and leveraging the trust and security established by major technology providers.

Authentication Protocols

Authentication protocols is procedures that can be followed to ensure a secure communication during authentication and authorization. The list of all protocols can be extensive. Here are some of the widely used protocols.

• Kerberos: A network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography.
• LDAP (Lightweight Directory Access Protocol): While primarily a directory service protocol, it is often used for authenticating and authorizing users.
• SAML (Security Assertion Markup Language): An XML-based framework for exchanging authentication and authorization data between security domains, typically used for single sign-on (SSO) for web applications.
• OAuth: An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
• OpenID Connect (OIDC): A simple identity layer on top of the OAuth 2.0 protocol, allowing clients to verify the identity of the end-user based on the authentication performed by an authorization server.
• SSH (Secure Shell): Not only a protocol but also includes mechanisms for authentication, ensuring secure access to remote servers.
• SSL/TLS (Secure Sockets Layer/Transport Layer Security): Protocols for establishing authenticated and encrypted links between networked computers, though not exclusively authentication protocols, they handle authentication during the handshake process.
• PAP (Password Authentication Protocol): A simple, plaintext password authentication scheme which is widely used in dial-up connections, although it is vulnerable to interception.

Practical Examples of Authentication Implementation

One effective way to understand and master various authentication methods and protocols is to examine their real-world implementations. There are numerous resources available tailored to specific programming languages and frameworks, which can be incredibly helpful.

For those interested in newer authentication methods like passkeys, exploring detailed guides and posts can be very enlightening. For instance, you might check out our post on Nblocks for implementing passkeys in Next.js frameworks. These articles provide practical insights and also direct you to further reading on the topic.

Additionally, the Google Developers guide for passkeys offers a comprehensive look at how to integrate this modern authentication solution effectively.

For traditional methods like password-based authentication you can find a practical example using Spring Security, which demonstrates how to implement this method in a robust and secure manner.

By reviewing these examples and guides, developers can gain a deeper understanding of how different authentication technologies are applied in various contexts. This hands-on approach not only enhances learning but also aids in the practical application of these technologies in your projects.

Authentication in Microservices and APIs

Authentication plays a crucial role not only for human users but also within system architectures where components need to communicate securely. This includes scenarios where developers connect to external API services or when different parts of a microservice architecture interact.

Utilising OAuth 2.0 for Modern Authentication

A contemporary approach to handling these authentication challenges is through OAuth 2.0 flows. In this model, authentication is performed using client IDs and client secrets. Once authenticated successfully, an access token—often a JSON Web Token (JWT)—is issued. This token is then used for authorising subsequent requests across the service.

API Keys: A Simpler, Yet Less Secure Method

Another common method is the use of API keys. These are secret tokens included in HTTP request headers and are straightforward to implement. However, they pose a security risk since they are static; if an API key is intercepted, it can be exploited by unauthorised parties.

Mutual TLS for Enhanced Security

For situations requiring robust security, where both the client and server must authenticate each other, Mutual TLS (Transport Layer Security) is highly effective. In this setup, both the client and the server present certificates to prove their identities. This method is particularly favoured in high-security environments as it ensures a very high level of trust and security, confirming that both parties are indeed who they claim to be.

Overall, the choice of authentication method in microservices and APIs should align with the specific security requirements and operational contexts of the application, balancing ease of implementation with the need for robust security.

Our article about microservice authentication and authorization patterns explain their benefits and when to use them.

Further Reading and Continuous Learning

Authentication technologies have undergone rapid evolution in recent years, shifting from traditional password-based systems to more secure and user-friendly alternatives like passkeys. This transition reflects broader trends in cybersecurity, emphasising stronger security measures and enhanced convenience for users.

As a developer, staying informed and proficient in the latest authentication strategies is crucial. There are numerous authentication methods and protocols to explore. Depending on your preferred learning style, you might choose to dive into detailed documentation or engage directly with practical implementations to deepen your understanding of these technologies.

In addition to mastering authentication, it's essential to familiarise yourself with authorization processes. Authentication and authorization are complementary security measures—while authentication confirms identity, authorization determines access levels. Understanding both is vital for developing secure applications.

The best way to keep learning is to stay curious, read up on the latest trends, participate in developer forums and experiment a lot with code.

‍