A process of proving that an entity (commonly a user or organization) is who they claim to be, or who they were previously identified as being. Authentication does not guarantee that particular entity's identity absolutely, it just proves that they are the same agent that has previously successfully asserted their identity. There are three factors (types) of authentication, and a particular authentication process may combine two or more different factors.
Authentication is critical to systems security. It is the mechanism an authoritative system uses to validate a given entity's asserted identity (who they claim to be) is the same as that entity's stored credentials. Credentials must be previously stored for an entity either by the authoritative system, or by another trusted system, before authentication can occur.
Authentication is commonly used in real life in a number of different scenarios, for example a national border agent confirming a person's identity using a passport.
Authentication usually requires the entity being authenticated to produce one or more tokens. These tokens are then used, possibly alongside other properties or characteristics of the entity, to confirm their identity. An example of an authentication token is a password. These tokens can fall into three broad categories, or factors:
- Something you know. This is the most commonly used authentication factor in electronic systems. It is most commonly implemented as a password or PIN (personal identification number). This is also the most commonly misused authentication factor. Many system require a secondary security question, such as your mother's maiden name, place you were born in or other such trivia. These all belong to this single factor, thus systems can as as many questions as they like and they are still single factor authentication; all the answers are something the entity would know.
- Something you have. This is most commonly implemented as a formula number generator (like an RSA Key Fob) or a digital certificate (which can be stored on a smart card or less securely as a simple file on a computer). The Key Fobs, Smart Cards, and SSL Certificates are the most commonly used forms of this factor.
- Something you are. This is commonly known as biometric security. Fingerprints and iris scans are the most common form when used with electronic access systems. Fingerprints and DNA are the most commonly used in law enforcement.
It should be noted that some security experts have reservations about the factor categories. Specifically all authentication factors are fed into the authentication mechanism as computerized information and are therefore subject to the same possible tampering or forgery as any other information. Digital Certificates for example are essentially passwords that are so long a normal person would never memorize it; it must be stored on a medium (thus termed "something you have"). Similarly anyone who has seen a spy movie has undoubtedly seen a fictional character copy a fingerprint or fake an iris scan. This is possible because the authentication mechanism is reliant on a digital reproduction of the physical item; a digital representation that can be duplicated.
There are many indirect authentication schemes as well. Kerberos is one of the most popular, you authenticate against a central store, which then gives you a token. The token can then be used to grant you access to other systems in lieu of the original authentication mechanism.
Authentication should not be confused with Authorization, which involves granting rights to a specific entity. Authorization schemes are commonly dependent on Authentication to ensure security, but are not the same.
See Wikipedia for more information about Authentication and Security.
