Authentication is the process of verifying the identity of a user, server, application, or device so that they may proceed to log in to a system and access its resources. Authentication is typically managed with a user database server or identity management and federation system.
To authenticate as a legitimate user on any system, a common authentication protocol must be used between both client and server (or between application and API). Basic authentication involves entering a user ID and password, although more advanced authentication is preferable in web-based environments.
A modern, reasonably secure method for user authentication is Two-Factor Authentication (2FA), which requires satisfying two of the three universally recognized factors, or elements, of authentication. The three factors of authentication are as follows:
Knowledge: "something the user knows" – like a password or an answer to a security question.
Possession: "something the user has" – like a security token sent to a mobile phone in the user's possession.
Inherence: "something the user is" – like a fingerprint scan, which typically only applies in high-security settings and is not often used in 2FA.
Multi-Factor Authentication vs Strong Authentication
Multi-Factor Authentication (MFA) is another related term used to describe whenever two or more factors of authentication are needed to verify a user.
Meanwhile, Strong Authentication is similar in concept to 2FA and MFA, but with the additional requirements that the factors are mutually independent and at least one factor is non-replicable and non-reusable (i.e. not able to be forged or used twice over). With Strong Authentication, it is imperative that user credentials cannot be stolen over the Internet, whether in transit or in storage.
When authenticating an application to an external API, some form of passwordless authentication should be employed to ensure that user credentials are not sent or stored anywhere and, thus, remain secret. Common ways to achieve this are via API Keys, Cookies, and Access Tokens (e.g. JWT – JSON Web Tokens).
Decentralized HTTP authentication frameworks that support passwordless authentication and Single Sign-On (SSO) for multiple application access with a single login include:
OpenID – An open standard authentication and identity management framework.
OpenID Connect – A newer implementation of OpenID built on top of OAuth 2.0 that can be used to handle both authentication and authorization.
OAuth 2.0 (Open Authorization) – An open standard authorization framework that can provide pseudo-authentication when used with OpenID.
SAML 2.0 (Security Assertion Markup Language) – An open standard XML-based protocol for authentication and authorization. Typically used in enterprise scenarios.