One way authentication vs two-way authentication

Question

I'm studying for the Network+ exam and wanted to understand the difference between one-way authentication and two-way authentication.

I've tried searching to no avail. It seems when I search for it the results return 2FA and single-factor authentication. Are single-factor authentication and one-way authentication the same thing? Ditto for 2FA.

Search on google for ***challenge-response protocol***. This will help you understand what one-way and two-way authentication is, but very briefly: You have 2 parties that want to communicate, A and B. A needs to authenticate B (one-way), but if B needs to also authenticate that A is who they say they are (two-way). Multi-factor authentication (2FA, 3FA, etc) is a different thing. It is about *HOW* you authenticate someone (possession, knowledge, inherence). — Soutzikevich, Jan 25 '20 at 13:28
"Two-way authentication" is not the phrase most commonly used. You want to look for "mutual authentication". — schroeder, Jan 25 '20 at 13:32

Jonathan · Answer 1 · 2020-01-26T02:05:48.360

What is Mutual Authentication?

Mutual Auth IRL (In Real Life)

This is exactly what you do when you go to the bank. You "authenticate" the teller from the second you think about the bank.

You think "where is the bank" (location, check)
Does the bank look like a bank? (look around, looks like a bank, reputation, check)
Does the teller work for the bank? (She's behind the desk, so someone let her back there, uniform, name tag, and she is holding cash. Check)

Check, check, check. You're at a bank talking to an employee.

Now she authenticates you. Asks for - your ID, - your photo comes up on the screen, and - you know your ATM pin.

Check, check, check. She trusts you are you.

Mutual authentication. You both think you know who the other is.

Mutual Auth in Computers

In computers it's about the same. Both sides need to trust each other. And bad guys could be executing a man-in-the-middle attack.

ssh

One place we use mutual authentication is SSH. You want to SSH to a server, you want to know it's really the server you think it is.

Let's say you're going to copy up some secret information. How do you know for sure you're connecting to the right server? What if somebody is trying to trick you into uploading the secret info to their server? SSH servers do prove to the client connecting to them that they have a secret key. Read about it here: https://support.alertlogic.com/hc/en-us/articles/360002999732-How-does-SSL-mutual-authentication-work-

web sites

EVERY TIME YOU LOGIN ON A SERVER you are mutually authenticating.

Your browser trusts the remote server and puts the lock in the address bar. Then you type in a username and password, and now the server trusts you.

TLS

Or HTTPS - Sometimes still called SSL, but TLS is the accurate name for the protocol.

There are same protocol exchanges that mutually authenticate. You can mutually authenticate over https. You have a "client" certificate that you use in the key exchange with the server. The server verifies your client certificate is signed by a certificate authority that the server trusts to sign client certs. Just like your browser checks that the server's cert is signed by a certificate authority that the browser trusts.

Look at mutual TLS authentication in action

NodeJS is an interesting implementation. It's both a pain in the hind at first, and sorta easy code to read once you figure it out. Have a look at this writeup and the nodejs docs.

https://blog.cloudboost.io/implementing-mutual-ssl-authentication-fc20ab2392b3

https://nodejs.org/api/tls.html

"EVERY TIME YOU LOGIN ON A SERVER you are mutually authenticating." -- no. It's still only one-way. TLS only compares the cert with the domain. You could still be logging into a phishing site. You stretched your IRL banking analogy too far. — schroeder, Jan 25 '20 at 13:25
You are missing an understanding of server-side certs in TLS mutual authentication. Just having a cert does not mean you have passed authentication. I could serve `https://totally-fake-bank.com` and get a valid certificate for it and present a copy of a legitimate bank's site. In the nodejs blog page you posted, there is an additional understanding that it omitted but crucial: the client-side has hard-coded the server domain. That domain and it's cert is then checked against the CA. That's when it becomes an authenitcation (verifying of ID). — schroeder, Jan 25 '20 at 13:44
I disagree. You being fooled by a phishing site is irrelevant. You thought you properly authenticated the site before you put your password in. Otherwise, you wouldn’t put the credential into the site. All authentication has different levels of risk. Some are less risky than others. Some only protect you if you are very vigilant, and even then still carry risk. — Jonathan, Jan 25 '20 at 15:26
I've added a couple definitions of "authentication." Please review them and add a constructive comment for why you disagree with the answer. You might be trying to narrowly define "authentication" as "computer authentication." As you've made clear, that isn't enough. Humans typing in URLs need to perform an additional level of authentication above what the computer does. It's the whole process that matters. Ignoring humans doesn't scale. I also doubt I'm "missing an understanding" of any TLS knowledge needed to answer this question. ;-) — Jonathan, Jan 26 '20 at 02:20
You are co-mingling general ideas of identity and authentication with the *technical definition of mutual authentication* as asked in the question. Please note that the context of the question is the Network+ exam. To tell a student that "logging into a server is mutual authentication" is irresponsible since there are technical specifications for mutual auth in networking which wouldn't be required if your statement was broadly true. — schroeder, Jan 26 '20 at 07:41
So, this is wrong on 2 accounts: For TLS to be an authentication of the server, the client must have a pre-established relationship with the server to be able to verify the identity of the server when connecting. That's authentication. Just seeing a lock in the address bar is ***not*** authentication. Then, when the ***user*** logs in, it is not the ***client*** authenticating, but the user. You have not described mutual authentication. — schroeder, Jan 26 '20 at 07:52
Thanks. I believe the broader definition is more appropriate in this case. — Jonathan, Jan 26 '20 at 09:50

schroeder · Accepted Answer · 2020-01-29T16:18:33.530

"Two-Way Authentication" is more commonly called "Mutual Authentication".

At the network level, which is what you are studying, it means that the client and the server authenticate to each other. This is done through the exchange of certificates that are checked by a Certificate Authority (or the cert is known by the server).

It means that the client and server know that they are communicating with the expected party. This is established at the lower levels of the OSI stack before application-level authentication takes place (user authentication or process authentication). It's done at a lower level so that the users/processes have assurance before they attempt to authenticate.

At the network level:

client requests to connect to the server
server sends the server certificate and askes for the client certificate
client verifies the server certificate with the Certificate Authority (CA)
client sends client certificate
server verifies client certificate with CA
if all checks verify, then access is granted to the client to the resource

WiFi and ethernet have mutual authentication protocols, and sometimes the certificate is provided by the server. TLS also has a mutual authentication protocol.