What Is an Authentication Service?
An authentication service is typically a cloud service that helps authenticate end users to multiple applications and resources across the organization to verify a user’s identity. On the other hand, authorization services make sure that only authorized users with the appropriate access rights can access a particular resource. This article helps to explain some authentication fundamentals and how authentication services can help to get authentication done right.
In Zero Trust architectures, you may have a single policy enforcement point doing authentication & enforcing authorization policy.
What Is Authentication, and Why Is It Used?
Authentication is essential to verify the user's identity and restrict illegitimate bad guys from accessing your system. Suppose an end user wants to access protected resources. In that case, they must first be authenticated, commonly by providing a login credential, such as a username and password, or a more reliable passwordless proof of identity.
When users attempt to access a resource, authentication services will jump in to verify the user’s identity so that only the right users are granted access. If the requester or web service client successfully passes a user authentication process, they can access a requested resource.
Some of the legacy technologies used for user authentication include:
HTTP basic authentication
LDAP – a protocol that helps use a single directory service for user authentication
One-time password hardware tokens
RADIUS
Certificate-based authentication
Currently, there are more advanced passwordless authentication methods, including:
Hardware tokens
Passwordless authentication services like Peig
Authentication Principles
Fundamentally, there are three ways users can be authenticated:
Knowledge: Something only you know.
Possession: Something you have in your possession.
Inherence: Something that is integral to your physical self.
Sometimes the inherence principle is split into two more sub-categories: Biometrics and Behavioral. Sometimes it’s arguable what is biometric and what’s behavioral. Take breathing as a biometric method for user authentication. It seems natural that breathing would be considered a biometric trait when considering a short timeframe. On the other hand, your breathing pattern may change significantly with athletic or breathing exercises. For the sake of simplicity, we’ll try to use clear-cut examples to explain the different methods in more detail.
What Do You Know?
The knowledge-based authentication method is most known in the form of the password - something you hold in your head and hypothetically keep secret. But what if you get caught in a phishing campaign, or a hacker gets a hold of a whole database with many passwords? People often think they wouldn’t be fooled by phishing emails – unfortunately, statistics show that phishing attacks are increasingly more common and also are getting harder to recognize.
Other examples of knowledge-based authentication could be a PIN, a picture code, or motion pattern. These are more secure if coupled with a particular device, which is also authenticated.
What Do You Have?
Possession authentication verifies a user by providing reliable proof of possession of a particular thing. Sometimes this could be an ID card or another type of document. Unfortunately, it’s not very secure to send these over the internet – once a hacker gets a hold of a copy, they could very well impersonate you in many situations.
More secure ways to authenticate possession include:
Smart cards
Authentication apps*
Security tokens (e.g. USB authenticators)**
The reason these are fundamentally more secure is that each of these is built on principles of cryptography stored on authentication devices – a secret that only the device “knows” and can use to prove that it was really that one device. To understand this better, you can read up on public key cryptography, which is often used to make possession-based authentication reliable.
* Authentication apps do better than sole passwords; however, they are proving to provide poor protection against the most common types of cyber threats: phishing attacks, MiTM, MFA prompt bombing, etc.
**Same applies to some security tokens.
Who Are You?
A practical way to authenticate users is to check their biometric attributes in real time. Biometric authentication requires something unique about the user, such as his:
-
Behavioral attributes (e.g., keystroke dynamics – best for mobile app, gait recognition, voice recognition),
-
Physiological attributes (e.g., face recognition, handwriting dynamics, signature, iris scan, palm scan, and fingerprint).
The downside of biometric authentication is that it’s based on “publicly” available “static” data. This makes biometric authentication on its own very unreliable. In the case of authentication based on facial recognition, facial features may be harvested from publicly available media sources (e.g., social media).
Notice the contrast between the principles of biometric and knowledge-based authentication. Biometric authentication works on the basis of unique and “public” data about your physical traits. Password-based authentication, on the other hand, is based on secret information. In fact, password secrecy is so important that companies typically use complicated password policies (periodical password changes, password expiration, reset scenarios, etc.) to ensure they stay secret. Similar approaches are used for cryptography used in possession-based authentication. Unlike passwords or cryptography, some physical traits cannot be changed.
Biometric authentication should really be applied with care in well-understood and isolated environments.
Similarly, users’ authentication can be enhanced with geographical or behavioral data like GPS, IP address, etc. Unfortunately, these all have similar limitations as biometric data – hackers can easily fake a location or an IP address.
Is Authentication a Security Service?
Yes, authentication services are fundamentally cybersecurity services aiming to ensure resource security. Authentication services typically provide this using a combination of:
Multi-Factor Authentication (MFA)
Password Management
Why are Authentication Services Used?
Authentication services are typically used as part of an identity and access strategy for users accessing corporate resources. Authentication services are crucial security enablers to grant or deny access to an organization's data, applications, or networks. Below are some other benefits.
Strengthens security
Simplifies login process
Enables enterprise mobility
Meets compliance
What Are the Types of Authentication Security Mechanisms?
Below is a description of various types of authentication methods.
Pseudo-Passwords, Bloom Filter, and No-Textual Approaches
This section lists complementary yet presently insufficient security approaches to improve password authentication, such as Honeywords, Non-Textual, Bloom Filter, and Graphical Passwords. These approaches aim to assist authentication companies in providing a “secure” authentication service and access control. However, given the state-of-the-art, these approaches are unable to provide appropriate protection against the most common hacking techniques.
Honeywords create pseudo-passwords near the actual password to entice imposters to employ these bogus passwords. Security engineers also use alternate names to Honeywords, including Failwords, Honeyfile, Camouflage System, etc. Likewise, the Bloom Filter technique fools bad guys by applying distinct hash operations on existing passwords. Furthermore, a Non-Textual authentication service uses sketches or drawing patterns, images, and graphics for user validation and verification.
Multi-Factor Authentication (MFA)
The MFA is a renowned web service authentication that requires at least two authentication methods, or two-factor authentication services, from various credentials to verify a user's identity. Contrarily, two-factor authentication services are based on two factors simultaneously: e.g., a password and a hardware-token authenticator. The two-factor authentication is primarily used in finance, healthcare, education, and social media but is needed more and more for any enterprise or public web service.
To acquire access from MFA, the user must provide information on multiple factors, such as what he knows, what he has, and what he is. Go back to the authentication approaches in the previous section for more details. The characteristics of a good MFA include the following:
Reliability
Scalability
Resilience
Ease of use
MFA is often combined with SSO, also known as authentication federation, where an authentication service provides MFA capabilities to various applications in an enterprise.
The role of device-based authentication is inevitable in MFA. Plus, this authentication service primarily and often involves a single authentication mode that must always be present in device authentication using securely stored cryptography. It enables security engineers to pair known devices with user accounts with smooth and fast logins. In addition, device-based authentication checks risk indicators in real time.
Continuous Authentication
Authentication methods usually validate users once and persist access over a long period of time using cookies. This may serve security poorly. Cookies, for example, may be stolen or counterfeited. Devices once in possession of a particular user may now be controlled by someone else. Bottom line – you need continuous verification of a user's identity over time.
Continuous Authentication, also known as Active Authentication, addresses novel ways to verify and validate a user's identity rather than using passwords. In addition, Continuous Authentication works by using software-based behavior biometrics to capture the session data to know whether a legitimate user utilizes a system at a given time.
Adaptive MFA
Adaptive MFA uses different ways to verify users of computer systems or cloud services – typically based on the level of risk with a particular access request. Adaptive authentication usually uses indicators like IP addresses, geolocation, or other metadata to address the level of risk of an appeal. Unfortunately, metadata isn’t very realizable regarding network security – especially in a cloud-prevailing online world. Trusting client-proclaimed attributes like IP addresses is no longer viable.
Secure Your Access with Peig
Peig’s Passwordless Access Platform helps with unifying access management and streamlining passwordless authentication in SaaS, private cloud apps as well as controlled network environments.
Secure AWS, Google Workspace, Microsoft 365, Salesforce, and other SaaS or self-hosted services, and improve your company's remote work business processes.
Peig access is unified with an authentication engine that addresses advanced phishing, MitM, session hijacking, and device manipulation attacks. The passwordless access platform is the best fit for middle-size enterprises that consider their remote work using cloud-native applications critical.