Modern authentication: an overview
Learn about modern authentication and what technologies define it. Discover how it helps organizations defend against sophisticated threats while allowing users to stay productive.
au·then·ti·ca·tion
/əˌTHen(t)əˈkāSHən,ôˈTHen(t)əˈkāSHən,äˈTHen(t)əˈkāSHən/
noun
The process or action of proving or showing something to be true, genuine, or valid.
"the prints will be stamped with his seal and accompanied by a letter of authentication"
- In computing: the process or action of verifying the identity of a user or process.
"user authentication for each device ensures that the individual using the device is recognized by the company”
Authentication is everywhere.
Anyone who’s ever tried to withdraw money from a bank, requested copies of medical records or used a computer in the last three decades is familiar with the process of providing proof that confirms the person is who they say they are, and by extension, has permission to access whatever they are requesting.
In the case of computing, authentication acts as the security barrier between gaining access to information that the owner wishes to limit to only the individuals that are allowed to read, execute, write, modify and/or delete as part of job-related tasks.
Cylinder seals, having been created around 3500 B.C., are recognized as the earliest form of authentication. And while the stonecraft used to create them were difficult to reproduce, by today’s standards, something far more complex and non-repudiable is necessary to safeguard our systems of data, storage and communication from modern-day threats.
In this blog, that is precisely what we cover: modern authentication used in computing, including:
- An explanation of what constitutes modern authentication
- Its key components
- The features of modern authentication methods
- Examples and use cases in real-world applications
What is modern authentication?
Hopping into our Delorean to travel back to the future — from 3500 B.C. to the 21st century — modern authentication is defined simply as a method of verifying users’ identities through the use of multiple factors.
Because data security is of paramount concern to enterprises and users alike, as well as the onset of an average of 3.6 devices per user globally, the need to keep data stored and shared across multiple devices represented a challenge that traditional methods of authentication couldn’t address (more on these differences later). To address the needs of today, new components were developed to aid in keeping data, devices and users safe from unauthorized access. We’ll go into further detail with each component in the next section, but for now, the list of components is as follows:
-
Authentication methods
- Multi-Factor Authentication (MFA)
- Passwordless authentication
- Biometrics
- Adaptive authentication
-
Authorization methods
- OAuth
- OpenID Connect (OIDC)
- Security Assertion Markup Language (SAML)
- Conditional access policies
Authentication methods: traditional vs modern
While history tells us that a need to authenticate something has always existed — be it a decree from the king or a document locked to a specific individual — as civilization advanced technology, so did the technology advance the civilization’s need for greater control over how to safeguard confidential data.
For example, traditional authentication methods that are still in use today center around passwords or PIN codes to keep access tucked away. Notice I didn’t say “safely” tucked away because while that certainly worked well enough for decades, the modern threat landscape sees threat actors deploying sophisticated threats that leverage multiple tooling such as dictionary attacks, social engineering campaigns, exploiting vulnerabilities, and, new to the stage, artificial intelligence (AI) and machine learning (ML) technology. Threat actors can easily guess, bypass or simply be told the secret to defeat traditional methods that rely on a single factor to protect information.
Modern authentication methods rely on multiple authentication factors, robust authorization protocols and conditional (or context-aware) security policies to granularly assess users' claims that they are who they say they are. By combining multiple factors in your authentication workflow, the organization shifts from the traditional authentication method, based on implicit verification of a singular factor to a modern authentication method, based on explicit verification of two or more factors before an access request is approved. Should a user’s request pass one level of verification (ex. password) but fail the secondary level of verification (ex. MFA), then access to the protected resource remains denied, keeping data safe.
Key features of modern authentication
Moving on from traditional authentication methods and their weaknesses, in this section we flesh out in greater detail the various controls that make up modern authentication and explain what makes them different and better suited to address today’s security concerns.
Multi-Factor Authentication (MFA)
MFA refers to the use of more than one differing factor to more accurately verify the identity of a user. The conventional thought is that an attacker must defeat each factor to obtain access to a protected resource.
As mentioned above, the “differing factors” mean that proper implementation of MFA requires at least two distinct factors from the list below:
- Something you know (i.e., password, pin code, recovery code, one-time pin (OTP)
- Something you are (i.e., biometrics, like fingerprint, voice, retinal/face scan)
- Something you have (i.e., Common Access Card (CAC), RSA fob, Security key)
Passwordless authentication
MFA combines multiple factors to validate a user’s identity before granting them access and handles the task with aplomb the majority of the time. But most of the time, one of the factors: specifically, “something you know,” is implemented in the form of the tried-and-true password.
The problem is that passwords have been proven easily defeated by threat actors and security practitioners. This renders the practice “tired-and-truly insecure” in light of users experiencing password fatigue as our minds struggle to possibly create let alone remember unique passwords for each device, website and service we access.
Combine threats like phishing or sophisticated attacks that emulate password prompts to trick users into handing over sensitive keys, and we quickly see the superiority of passwordless authentication. This is authentication that leverages trusted devices based on secure certificates for hardware attestation. It then combines this information with other factors, like SMS or time-sensitive notifications tied to a secure app installed in your mobile device, biometrics — or all three.
A passwordless workflow that’s integrated with your identity provider (IdP) seamlessly verifies that the user is who they claim to be and never requires the use of an unsafe password.
Adaptive authentication
A relative newcomer to the authentication space, adaptive or risk-based authentication, raises the number of authentication factors from the three mentioned previously to four.
The fourth factor verifies a user’s identity by leveraging AI/ML technologies to determine a user’s location, analyze the status of their device(s), and/or assess the user’s behavior. Adaptive authentication looks for qualifiers that indicate whether the user's claims are legitimate or whether these variables betray the requestor’s claims.
For example, your organization may configure an authentication factor to perform geo-location to determine the requestor’s physical location each time a request is made. If a remote user requests access to a resource that determines the physical location is being made from a suspicious location, then an AI-driven adaptive authentication solution would deny the request on the grounds that the request is coming from a location outside of the allowed list of physical locations.
Single Sign-On (SSO)
SSO is designed to share identity attributes across independent but trusted networks. It is also referred to as federation or federated identity. Generally, the SSO workflow looks something like this:
- A user requests access to a provider (which can be an app, website or service).
- The provider generates an SSO token and sends an authentication request to the integrated IdP.
- IdP checks if the user account is already authenticated:
- If yes, a confirmation that the user is currently authenticated is sent to the provider, granting access to the resource.
- If no, the IdP directs the user’s request to the login portal. From here, the user must enter their credentials which the IdP must validate. If verified, the IdP hands the response to the provider, granting access to the resource.
Thanks to its integrated nature, SSO is a boon for both organizations and users alike.
Companies benefit by:
- Extending secure authentication across their infrastructure
- Integrating with their identity and access management (IAM) solution
- Providing a centralized method to authenticate and authorize user requests
- Simplifying management and security of the authentication workflow for IT and Security teams
Users benefit from SSO with:
- One set of credentials to access work-related resources
- Central access to all approved websites, apps and services necessary to perform their work
- Access to all approved resources after authenticating to one resource (i.e., no more entering credentials multiple times a day)
- Consistency in the SSO portal; it functions the same way each time regardless of the device used
Conditional access policies
Conditional access policies, or context-aware policies, refer to a statement (or grouping of statements) used to determine if a user and/or device should be granted access to a protected resource. An administrator can create a policy to check for a particular variable, acting as a requirement that must be met for the resource to be accessible.
If it sounds like we’re being vague by using the term variable, we’re not doing so intentionally. Rather, the variable is used because conditional access policies are highly customizable. You can create one or many policies that meet the unique compliance needs of your organization. Additionally, depending on how solutions are integrated into your security stack, greater flexibility may be available to further customize policies for added granularity.
Let’s look at an automated workflow that is enabled when Jamf Trusted Access is implemented to protect enterprise resources. Integration between Jamf Connect (identity) and Jamf Protect (security) provides secure authentication, visibility and endpoint security for macOS and mobile devices. Also, by integrating both solutions, Zero Trust Network Access (ZTNA) is enabled, adding context-aware policies for admins to configure through the Jamf Security Cloud.
In our scenario, a user requests access to a protected resource from their personal iPhone that they also use for work. ZTNA is configured to check credential and device health and proceeds to authenticate the user’s account without issue.
Next, ZTNA scans the user’s device in real time and uses rich telemetry data to compare the device’s security posture to the baseline established by your organization. It is determined that the device is compromised and a vulnerable app has been exploited. Because ZTNA operates under the stipulation "never trust — always verify," access is denied to the protected resource.
But that’s not all. Because the device is out of compliance, this triggers a workflow to automatically remediate the endpoint by updating the vulnerable app. Once this has occurred, ZTNA once again scans the device to verify that the device is compliant.
If so, then and only then is access to the requested resource approved. Unlike SSO however, each time a request is made, ZTNA seamlessly verifies credentials and device health before access can be granted to prevent introducing risk from compromised credentials and/or devices.
OAuth and OpenID Connect
OAuth and OpenID Connect are protocols used to access web-based applications and services, but the way in which they implement access differs between both protocols.
OAuth is an authorization framework. It’s an open standard used for delegating access, like sharing specific information with third parties without requiring users to hand over their credentials or giving third parties complete access to everything.
An example of OAuth in action is how social media websites allow users to log into third-party websites using the single set of credentials used to access the social media account.
Despite their different names, OpenID Connect is based on the OAuth 2.0 standard and also includes an authentication layer atop the authorization framework. Because of this, OIDC works similarly to OAuth in practice while supporting extensible features, like session management functionality, encrypting identity information and discovering OIDC providers used to access cloud-based services such as Office 365, Google Workspace and other SaaS applications.
Security Assertion Markup Language (SAML)
Like OAuth, SAML is also an open standard based on XML. Its primary function is to exchange authentication and authorization data across multiple domains. Specifically, it facilitates this secure exchange between an organization’s IdP and a service provider such as a website, app or service.
It is the “secret sauce” that enables SSO functionality, enabling enterprises to federate identities across providers. It also allows users to authenticate to one protected resource to obtain access to all other protected resources they have the appropriate permissions to access. Finally, SAML was developed not only to standardize but also to promote an interoperable experience between seemingly proprietary technologies.
From a security perspective, SAML ensures that a safe, secure handoff of authenticated sessions occurs. Because password data remains safely with your IdP, service providers don’t ever store account passwords as this information is never shared with them in the first place — only the SAML attributes are shared from the IdP to service providers.
Lastly, customizing the authentication experience via SAML allows administrators to implement additional layers of security controls — such as MFA — to beef up user identity verification.
Jamf can help
Jamf makes it easy to holistically manage and secure your infrastructure.
Integrate identity and access management workflows to comprehensively safeguard macOS and mobile devices with Jamf.
Discover authentication with Jamf.