What is user authentication?

User authentication is the process by which a human asks to be identified to an application, and how the app responds to this request. This is different to machine authentication, which is an automated process by which apps identify themselves to other apps. Machine authentication does not require human input.

Apps often have two classes of content: public content available to all users, and protected content only available to authenticated users. The ease with which users can authenticate themselves with an app has a direct affect on the app’s security. It’s important to understand why.

Why user authentication is important

User authentication, what is it?

The term user authentication covers the process of interactions a human has with a computer in order to gain access to protected data and functions of an app. By registering an ID and password with an app, a user is able to gain access to that app later on.

User authentication has typically consisted of an email and password combination. But recently additional authentication options have been added to improve the security of apps.

How users are authenticated

Access to an app is often restricted to those users who can prove their identity to the system. An ID and password are used by the app to confirm the user’s identity. The app in turn authorizes the user to see protected data and perform protected functions.

In other words, the app’s user authentication functionality needs to do three things:

  • connect the user and the app
  • verify the user’s identity
  • allow or block the user’s access to the protected parts of the app

Types of user authentication

User authentication plays two crucial roles in securing an app. Firstly, it prevents unauthorized access to protected data and functions. And secondly, it makes sure that each authorized user only sees his or her own data, not that of other authorized users.

To confirm their identity, the user must provide an authentication factor, which is:

  • something they know such as an ID/password, a PIN, or answers to security questions
  • something they have, like an ID card, a security token, or a smartphone
  • something they are, for example a signature, fingerprint, retinal pattern, or other biometric feature

These methods can be divided into password and passwordless authentication.

Password authentication

User authentication requiring a password is the most common form of authentication. Access to an app is given when the user-supplied ID and password match what the app has on file.

However, the number of online accounts an average user maintains has increased over time, and therefore so has the number of passwords they have to remember. Often, users trade convenience for security when it comes to memorable passwords. This reduces the effectiveness of password security in the following ways:

  • Weak or stolen passwords. Passwords are a common identity attack, and up to 81% of hacking-related breaches were due to weak or stolen passwords. How can hackers obtain a user’s password? Through man-in-the-middle and man-in-the-browser attacks hackers mimick a login screen. Once a user enters their ID and password hackers then have their credentials. Therefore, by requiring a password, apps inadvertently put users at risk to these types of threats.
  • Reused passwords. A surprising number of users reuse passwords because it’s easier to remember one than many strong passwords. The problem this creates is that, once a breach occurs, hackers use the passwords to try to gain access to other apps and platforms. These credential stuffing attacks can allow hackers to take control of a user’s account and steal sensitive information.

Passwordless authentication

Passwordless authentication is a method of authentication that does not require a password. This type of authentication has become popular in recent times. Although there are several types of passwordless authentication, there are two common forms: email authentication, and biometrics.

Email authentication

This is a very convenient authentication method as it relies on a user being able to retrieve an email sent to the email address they supplied. Access to the app is granted when the user clicks on the magic link contained in the email.

Biometrics

Biometric verification includes fingerprint and iris scanning, face recognition, and other types of biometric checking. This type of authentication is one of the most secure as a user’s biometric profile is unique and not easily copied. In terms of user experience, biometric authentication is convenient and easy to understand.

Benefits of passwordless authentication

Because it is easy to use and understand, passwordless authentication is becoming a popular authentication method. Some of the benefits include:

  • Resilient sign in. As there is no password required to sign in there is less chance of credentials being phished. The risk of a user’s password being compromised through man-in-the-middle and man-in-the-browser attacks is also greatly reduced.
  • Greater control. By allowing users to sign in with passwordless authentication, app owners can reduce the risk of data breaches and all the negative consequences that go with that.
  • Improved scalability. A passwordless authentication experience has been shown to increase the chances that a potential user will sign up to an app.
  • Lower cost of ownership. Password authentication needs constant monitoring and maintenance. Password resets can be very time consuming especially if this process is not automated. By not requiring passwords, the cost of running an app can be reduced.
  • Better user experience. With passwordless authentication users no longer need to remember and update strong passwords simply to use an app.

However, studies have shown that it is possible to fool fingerprint scanners surprisingly often. And of course, if ever a user’s biometric information has been compromised, it is not possible to safely use that authentication method again.