User Authentication

Most modern websites have password-protected areas. In fact, some websites require a log in to have any access to the site at all. In order to grant access to these privileged areas, it is necessary to authenticate a user. Authentication is a process which confirms a user's identity.

Who can we trust? How do we reliably identify someone, especially online where we cannot see the person? If we could see the person, we could observe them. What data can we trust when seeking an answer? These are the central questions and problems with authentication.

There are three categories of authentication factors which can be used to identify a person.

  • Knowledge

    • Something only the user knows
    • password, PIN code, mother's maiden name
  • Ownership

    • Something only the user has
    • ATM card, mobile phone, credit card CVV code
  • Inherence

    • Something only the user is
    • fingerprints, DNA, voice, signature

These factors are not new or unique to the Internet. Police use fingerprints and DNA. Banks use ATM cards and PIN codes. Our legal systems use signatures on contracts. Even private social clubs use passwords for entry.

The most common online authentication method is Password Authentication. Financial sites, like banks, may require additional information such as a PIN, security questions, or choosing a previously-selected image. These are all factors from the first category, Knowledge: something only the user knows.

It is becoming increasingly common to use other factors for online authentication. Many sites offer (and some even require) Multi-Factor Authentication where a factor from more than one category is required (e.g., knowing user's password and possessing user's mobile phone).

Another quickly expanding area is the use of Biometrics for authentication. This was made much more mainstream when Apple's iPhone added the iTouch feature which can read a user's fingerprints.

Fork me on GitHub