What is Authentication?

Who are you?

Within an IT infrastructure, resources are secured through a combination of authentication (who is trying to access the resource) and authorization (are they allowed to use the resource, and how are they allowed to use it). Many people confuse authentication with authorization.

Authentication is just establishing who wants access (with credentials).

Authorization is deciding – once the “who” is known – what (if any) access is appropriate. Correct authentication is a serious security concern and can be addressed by several different methods.

Traditionally we would say there are three fundamental ways by which a user can be identified:

  1. Something the user knows (like an ID/password, PIN, security questions, etc.)
  2. Something the user has (ID card, security token, cell phone, etc.)
  3. Something the user is (signature, fingerprint, retinal pattern, DNA, face, voice, or other biometric features).


The simplest form of authentication is a username/password combination, but this is now widely seen as inadequate. Usernames are typically well-known in an environment, and simple passwords may be guessed (and because people tend to use them in many places, they are only as secure as the least secure of these). One may enforce complex passwords, or place different passwords on different types of resources, but this tends to lead to poor password hygiene (like writing down passwords to remember them).

Stronger methods are required, such as

  1. Multi-factor authentication (MFA): This uses two or more of the above, perhaps ID/Password or PIN, and something the user has (token generator, ID Card, cell phone, etc.).  With this method, if a malicious attacker does obtain the user’s ID and password, they also need the second factor of authentication. This limits the attack surface and makes it significantly more difficult for someone to misrepresent themselves as the authenticated user.
  2. Certificate authentication: A user will first authenticate to a secure environment capable of generating and delivering certificates. Subsequently, when a user attempts to access a resource using their stored certificate, the resource can verify the certificate, and trust this user. This can also be used in a multi-factor scenario, where the ID/Password can be encrypted using the certificate and thus be delivered to the resource more securely.
  3. Fingerprint / Windows “Hello”: Once a user has initially authenticated (for example with a username, password, and/or other factors), your device can generate a biometric indicator to represent the user. This could be a fingerprint, although Windows Hello extends beyond a simple fingerprint, utilizing facial expressions (and using 3D imaging to verify that it is not just looking at a 2D picture of the user).

Need some help with authentication in your organization? Our technical experts have years of experience in this, so call us today to find out how we can help +44 (0)1865 521200, or email us.

Updated January 2024