Types of Authentication

Before you start

Objectives: Learn what is authentication, and about different common types of authentication.

Prerequisites: no prerequisites.

Key terms: authentication, password, token, biometrics, two-factor.

 What is Authentication

Authentication is the testing of claimed user identity. It is used to establish a users identity and ensure that the users are who they say they are. Authentication is the second step, after identification. There are many methods to perform authentication. For example, we can use passwords, tokens or even biometrics. Authentication can take place locally on the system where we log in, or transmitted over a network to a centralized authentication server. When we perform authentication, there are three different types that can be used.

Authentication Types

The first type is something we know, like a PIN or a password. The second type is something we have, like a smart card, token, etc. The third type is something we are physically, like a fingerprint (biometrics).


The most common form of type one authentication is a password. Password is simply a code or random string that we memorize. Pass phrases are longer strings, and are typically converted to a virtual password before sending to the authentication server for validation. There is also something called cognitive passwords, which are actually multiple questions given to the user that only that users should know the answers to. Next, we have composition passwords, which are created automatically by a system. Also, there are one-time passwords, which are intended to be used only one time. Passwords should be strong enough to prevent easy guessing and easy cracking, but on the other hand, easy to remember so users won’t write them down.

The most common forms of type two authentication is something that we are in physical possession of. In most cases these are storage devices for digital signatures, certificates or other cryptographic keys. For example, those storage devices can be smart cards, flash memory cards, or tokens. Token is simply a device that we use to provide authentication security. Tokens can be implemented at software or hardware level. A software token is easier to maintain, but it is easier to compromise. Hardware based token is harder to maintain, but is more secure. Keep in mind that certificates are cryptographic files which are used to prove identity.  The possession of a certificate, digital signature, or cryptographic key is proof of identity.

Token Types

There are many types of tokens. We have a static password token, which owner possesses and he authenticates to the token. This is done by typing in a short PIN, password or a by a biometric scan on a token itself. The token then authenticates information given to it by an owner, and then gives him a long password. This long and hard to remember password is what is used to log in to the security system. A static password token is the least secure token, and is the only form of token that is not considered to be a digital form of a one time password. The two other types of tokens are much more secure. We have a synchronous dynamic token, which generates unique password at fixed time intervals. We have a limited time in which we can use generated password. We type in the generated password and our own PIN (or password) into the system in order to authenticate. The system knows our secret PIN (or password), and knows what code should be valid in certain time. The synchronous dynamic token is considered a digital form of one time password. The third token type is asynchronous dynamic token, also sometimes called challenge-response token. The asynchronous dynamic token generates passwords asynchronously, which means that it is generated whenever we press a key on the token. There is no time limitation. When we try to log on to the system, we will be given a challenge. We enter that challenge into our token, along with the PIN number, and the token generates a response. We then type the response back to the system, and in that way authenticate. This is also considered a digital form of a one time password.


The type three authentication is something we are, which are physical characteristics that we or our body has specifically. These are called biometrics and there are many types of it. For example, these can be fingerprints, retina scans, iris scans, facial scans, palm scans, hand geometry, voice recognition, handwriting or keyboard dynamics. Accuracy is the most important characteristic of biometric system. We want to have the most accurate solution implemented. In general, the palm scans are the most accurate biometric method, while the keyboard dynamics is the least accurate method. When someone who roles in to the biometrics system, they have to define an initial reference profile that will be used as template. This is the first time that a digital representation of their biometric factors are recorded. When considering biometric systems, we have to take into account the acceptability issues. We have to consider how much does a biometric system affect privacy, and how much physical discomfort does it cause. In most cases an iris scan is the most acceptable form of biometric, since it only scans the outside of the eye, and there is no physical contact involved. The retina scan is the least acceptable because it requires physical contact, can be uncomfortable, and can violate privacy (can reveal medical conditions).

Authentication Strength

When configuring our system to be more secure, we might consider multi-factor authentication. This means that we will require two or more authentication types in order to authenticate the user. If we decide that we will use two different authentication types, we call this Two-factor authentication.

When we talk about the Strong authentication, it means that we use two or more authentication steps, but they can be the same authentication type (or different).

When we talk about mutual authentication, it means that both parties (client and server) authenticate each other. This helps reduce the possibility of the man-in-the-middle attacks.