14 min read
Authentication guide
Ready to learn how to keep your company’s systems safe and secure? Dive into our complete guide to authentication, including authentication types, authentication factors and more.

What is authentication? A complete guide

Link to this section

Think about all the platforms, apps and tools you’ve used today. Did you scan your fingerprint to open your MacBook? Use Face ID to unlock your iPhone? Enter a password to access your inbox?

Authentication has slipped into almost every part of our daily routine. In fact, you’re likely engaging with it automatically. For companies, the goal is to make sure you know who is accessing secure platforms and systems.

With an uptick in cyberattacks and data leaks, putting robust authentication processes in place isn’t a ‘nice to have’ for companies. It’s what will keep your operations running smoothly, your team working efficiently and your sensitive data safe and secure.

Luckily, switching on strong multi-factor authentication is straightforward and can be up and running in just a few minutes.

Key takeaways:

Link to this section
  • Authentication is the process of figuring out who someone is and if their details match up with your own records.
  • While the most traditional type of authentication is single-factor authentication, multi-factor authentication (MFA) provides the highest level of security, using a combination of passwords, biometric factors, one-time codes and more.
  • Authentication comes first (who are you?) and authorization comes second (do you have access to this specific resource?).

What is authentication?

Link to this section

You wouldn’t let someone into your house (or office) without knowing who they are. The same should go for your company’s databases and any systems you manage, like apps and platforms.

That’s what authentication is all about. It’s the process of figuring out who someone is and if their details match up with your own records.

In its simplest form, authentication means entering a username and password to log in to a secure site or platform (single-factor authentication). With the recent rise in cyberattacks and data breaches, more companies are leveling up their systems with additional authentication steps (from one-time passcodes to fingerprint scans, known as multi-factor authentication).

In the back end, authentication tech ensures these credentials are correct and linked to an authorized user on your database.

Authentication plays a key role in keeping users’ information protected and safeguarding your company’s systems. But it doesn’t act in isolation. It’s part of a three-step process to:

  • Identify: pinpoint who a user is.
  • Authenticate: prove their identity with unique credentials.
  • Authorize: define permission and access levels.

Authentication needs to be a non-negotiable, especially for scaling companies.

A whopping 94% of enterprises have experienced an insider data breach (such as departing employees, negligent workers, security evaders, and third-party partners opening a company up to a security risk, either maliciously or negligently) to date, with cybercrime (from data theft to fraud and beyond) growing 15% globally year-on-year.

The good news? Lowering the chance of data breaches and protecting sensitive information from hackers starts here: putting the right authentication steps in place.

How authentication works

Link to this section

For the purpose of this article, let’s dive into how authentication works for an app. Plus, you’re probably already familiar with the process (we’ve all got stacks of apps downloaded onto our phones, right?).

When someone signs up for an app, they’ll create an account. They might pick a new username and password or use their existing credentials from their Google or Facebook account (known as Single Sign On, or SSO for short).

At this point, these details are saved and stored in a database (either a local operating system or on an authentication server).

The next time this user attempts to log in, the app will check these credentials against their database records. If everything matches up, they’ll be granted access.

Sessions, cookies and tokens

Link to this section

Here’s where things get a bit more complicated. But stick with us.

Ever noticed that you stay logged in to Gmail or Instagram for weeks (without having to re-enter your login details)? That’s because of a thing called sessions, a.k.a. How long you’re logged in without needing to re-authenticate.

Usually, this happens using browser cookies. This browser data enables two things to happen every time you log in:

  • When you sign in, the app creates a token (usually a series of random characters) that is stored on the app’s database.
  • Within your browser, the app creates a cookie with that token linked.
  • When you refresh or open a new page that needs to authenticate your identity, the app will compare the token in the cookie to the token in the database. If they match, you’ll remain logged in.

After a certain amount of time has elapsed, the app will destroy the token on their server - meaning you’ll need to log in again and re-authenticate. And remember that complicated password you set.

Understanding authentication factors

Link to this section

Not all credentials are created equal. There are different ways to verify a user’s identity, known as authentication factors.

An easy way to think about authentication factors is to remember these three categories: something you know, something you have and something you are. But in recent years, these categories have expanded to include new factors like time and location.

Here’s a rundown of the five authentication factors you need to know about:

  • Knowledge factor (a.k.a. Something you know): as you’d expect this factor is the most common. It uses confidential information to authenticate access, whether it’s a PIN, username, password or the name of your first pet.
  • Possession factor (a.k.a. Something you have): this is something tangible you have access to, such as a security token, a smartphone that can receive text messages or an authentication app that generates Time-based One-Time Passwords (TOTPs) or codes.
  • Inherence factor (a.k.a. Something you are): this is where biometric identification comes into play, including fingerprint scans, voice or facial recognition and even retina patterns.
  • Location factor (a.k.a Where you are): this could mean pinging your device’s GPS or checking your computer’s network address. While it’s rarely used as a standalone factor, it can be used to detect and alert suspicious activity (such as an attempt to access your account from the other side of the world).
  • Time factor (a.k.a. When you’re authenticating): again, this factor won’t be used in isolation but it’s often used in combination with location data to catch and prevent hacking (for example, it could spot someone logging into your account shortly after your last session from a different country).

Types of authentication

Link to this section

Single-factor authentication (SFA)

Link to this section

Whether you call it one-factor authentication or SFA, the idea is the same: using one set of credentials to access a secure system. It’s the most traditional type of authentication and typically involves entering a username and password to log in to an app, platform or tool.

But simple doesn’t always mean safer. In fact, SFA offers the weakest level of security. With just one barrier to entry, it’s easy for hackers to steal (or guess) these credentials.

Password generators go some way to improve the security of passwords, spitting out complex combinations of letters, numbers and symbols. The problem is, even the hardest-to-remember passwords (is that an ‘i’ or an ‘l’? we can’t tell either) come with the highest chance of data breaches.

Two-factor authentication (2FA)

Link to this section

As the name suggests, 2FA adds an extra layer of protection by requiring two authentication factors. Rather than simply entering a username and password, 2FA goes one step further and requests another piece of information from users.

Usually, this involves texting a one-time passcode (OTP) to your mobile or using an authenticator app (such as Google Authenticator) to generate a unique code. But it could be anything from a PIN to answering a secret question to scanning your fingerprint.

What makes 2FA more secure than its predecessor is this: your account can’t be accessed unless both authentication factors are met. Even if someone guesses your password, it’s unlikely they’ll be able to provide the second level of details needed to gain access.

Multi-factor authentication (MFA)

Link to this section

An extension of 2FA is MFA. It provides one of the highest levels of security, like swapping your flimsy patterned phone case for a smashproof one. By now, you know that passwords alone often don’t provide enough protection - especially when highly sensitive information is involved.

MFA uses a combination of multiple authentication factors, from authenticator apps (TOTP), biometric factors (such as fingerprints or face ID scans) and even one-time email codes.

The key to getting MFA right is this: use a combination of something the user knows, something they have and something they are. This dramatically reduces the chance of cyber attacks, even if users are reusing the same password across multiple sites (which, let’s face it, they probably are).

One-time password (OTP)

Link to this section

Ever wondered why companies text or email random strings of letters and numbers to log in to a site? This is an example of a one-time password (OTP) and is a common way to authenticate a user.

In fact, this is a form of MFA that levels up the security of apps and platforms. You might encounter these codes when logging into an existing account from a new device, when setting up a new account or when resetting your password. By making these codes valid for one use only, OTPs make it tough for intruders to slip in and access your accounts.

Here’s how things work on the back end:

  • An algorithm (such as SHA-1) is used to generate OTPs
  • Two inputs are used to produce this code: a seed and a moving factor
  • A seed is a static value (a.k.a. It doesn’t change) that’s generated when you sign up for a new account on an authentication server
  • On the flip side, the moving factor changes each time a new OTP is requested

Passwordless authentication

Link to this section

What it says on the tin. In a world of endless apps, platforms and cloud-based tools, password fatigue is becoming a very real thing.

Best practice tells us we need a unique password for every account we create. But the reality is that using the same credentials across multiple sites is more common than we’d like to admit. We’re not here to judge, we’ve been there, too.

That’s where passwordless authentication comes in. By blending MFA with the security of email, users are able to access their accounts (without having to remember which password they set months ago). It’s secure (offering great protection against phishing and brute force attacks), simple (minimal signup friction) and a lot less hassle than remembering passwords.

Single sign-on (SSO)

Link to this section

This type of authentication wears a lot of labels, from social sign-in to single sign-on. But the idea behind SSO is the same: using existing credentials to log in to third-party apps.

As you’d expect, the aim of SSO is to streamline the signup and sign-in process. Rather than registering for another new account, SSO allows users to use their existing Facebook, Apple or Google login credentials to access new apps and platforms.

Plus, it removes the reliance on passwords (which come with inherent vulnerabilities) and can remove friction in the signup process (who wouldn’t want to swap registration forms for one-click signup?).

For companies, SSO fast-tracks the user authentication process while also providing reliable data to support powerful personalization. It’s a win-win for users and companies alike.

Security Assertion Markup Language (SAML)

Link to this section

So, what makes SSO possible? It’s thanks to an XML-based open standard known as SAML. Rather than relying on cookies, SAML streamlines the authentication process across multiple platforms or tools.

Broadly speaking, there are two parties involved:

  • Identity provider: who performs the authentication process and exchanges a user’s credentials with a service provider.
  • Service provider: with a trusted relationship with the identity provider, they’re able to authorize a user and provide access.

A good example of SAML in action is using a single workspace (such as Google) to manage your employee’s access to all the tools and software you use across your company. With a single set of credentials, your team can access all the platforms they need. And when their employment wraps up, offboarding is easy and efficient to manage.

By centralizing user authentication, SAML removes the need to remember multiple usernames, passwords and login credentials. It also helps service providers keep their platforms secure (with a single point of authentication meaning credentials are only sent to the identity provider directly).

Plus, it lowers costs for service providers who are able to offload authentication (and the costs associated with it) to identity providers.

Why MFA matters

Link to this section

If you’re using the same password across multiple sites, you’re not alone. And if that password happens to be easy to guess, you’re not alone either.

Research tells us that some of the most common passwords (based on millions of passwords exposed in data breaches) include these: “123456” and “password”.

Usernames and passwords have so many points of weakness that leave them vulnerable to brute force attacks: they’re easy to guess, easy to leak and easy to reuse time and time again. While using a secure password generator can make it harder for hackers to guess, they don’t go far enough to prevent phishing and keylogger software from gaining access.

That’s what makes MFA a non-negotiable for companies. By using a combination of authentication factors, you can dramatically lower the chances of cybercrime (and the financial and reputation risks that come with it).

Authentication vs Authorization

Link to this section

Don’t let their similarities fool you. Authentication and authorization might seem related, but they have different and distinct roles. In fact, they work hand-in-hand.

Here’s how to spot the difference between authentication and authorization:

  • Authentication: this is the process of validating your identity. It involves checking your credentials match the records in a database before giving you access to a secure system.
    • It involves sharing login credentials (such as passwords, fingerprint scans or OTPs).
    • It transmits information through an ID token.
  • Authorization: is all about granting permission to a specific resource and defining levels of access.
    • It involves verifying access in line with specific policies and rules.
    • It transmits information through an Access token.

In most cases, authentication happens before authorization. For example, once an employee authenticates their identity, authorization is what decides which documents and platforms they are allowed to access.

What is identity access management (IAM)?

Link to this section

No matter the size of your company, you want to make sure your team has access to the tools they need to work at their best.

In the days before remote working (and wearing sweatpants to every meeting), companies would likely keep their files, data and resources secure behind an on-site firewall. But with hybrid working the new normal, companies are having to evolve the way they keep their critical information safe and secure.

That’s where IAM comes in. It’s a set of processes and policies that control employee access within a company. From email accounts to databases, IAM allows each employee to receive a single digital identity that can be used across every platform they need to access.

Aside from the obvious benefits of making team-wide access seamless, IAM is an important way of keeping companies’ systems secure from outside intruders. Particularly as a company scales, tracking who has access to what can become increasingly challenging.

But with IAM tools, companies can revoke access instantly and IT teams can prevent and spot unexpected activity to respond swiftly and decisively.

Authentication at Kinde

Link to this section

At Kinde, we’re making authentication simple and powerful to help companies boost security, drive conversion save money - in just a few minutes.

We’ve made getting set up with Kinde as stress-free and easy as possible. With best-in-class security protocols, an intuitive user-friendly UI that’s built for everyone, and powerful and easy-to-use APIs, we’re here to get you up and running in minutes.

See how Kinde compares to other authentication providers.

Get started now

Boost security, drive conversion and save money — in just a few minutes.