Authentication
Authentication is the process of verifying that a user, device, or system is who or what it claims to be, typically before granting access to a resource. It is distinct from authorization, which determines what an authenticated identity is…
Definition
Authentication is the process of verifying that a user, device, or system is who or what it claims to be, typically before granting access to a resource. It is distinct from authorization, which determines what an authenticated identity is allowed to do, and is commonly implemented via passwords, tokens, biometrics, certificates, or multi-factor combinations of these.
Overview
Authentication answers the question 'who are you?' while authorization (a related but separate concept, often confused with it) answers 'what are you allowed to do?'. A system typically authenticates first, then authorizes based on the verified identity's assigned roles or permissions. Authentication factors are traditionally grouped into three categories: something you know (a password or PIN), something you have (a hardware token, phone, or smart card), and something you are (biometrics like a fingerprint or face scan). Single-factor authentication (typically a password alone) is increasingly considered insufficient given widespread credential leaks and phishing; multi-factor authentication (MFA) combines two or more factor categories to substantially raise the bar for attackers, even if one factor (like a password) is compromised. Modern authentication increasingly favors phishing-resistant methods like passkeys (based on public-key cryptography via WebAuthn/FIDO2), which eliminate shared secrets that can be stolen or reused. At a protocol level, authentication in web and API systems is commonly implemented via session cookies, bearer tokens (like JWTs), OAuth 2.0/OpenID Connect for delegated and federated identity (e.g. 'Sign in with Google'), and SAML for enterprise single sign-on (SSO). These protocols separate the act of proving identity from the ongoing mechanism (a token or session) used to represent that proven identity on subsequent requests. Authentication is foundational to nearly every security model, including Zero Trust, where every request must be authenticated (and continuously re-verified) regardless of network location, rather than trusting a session indefinitely once established.
Key Concepts
- Verifies identity ('who are you'), distinct from authorization ('what can you do')
- Factors: knowledge (password), possession (device/token), inherence (biometrics)
- Multi-factor authentication (MFA) combines factors for stronger security
- Passkeys/WebAuthn provide phishing-resistant, passwordless authentication
- OAuth 2.0 and OpenID Connect enable delegated/federated authentication
- SAML supports enterprise single sign-on (SSO) across applications
- Session tokens and JWTs represent a proven identity on subsequent requests
Use Cases
Frequently Asked Questions
From the Blog
Project: Build a Full-Stack To-Do App with React, Node.js and MongoDB
A full-stack to-do app is the perfect first MERN project — it covers every concept you'll use in production: REST APIs, database CRUD operations, JWT authentication, and deploying a frontend and backend separately. Build it once, understand the full stack.
Read More ProgrammingPython Decorators: A Practical Guide for Beginners
Decorators are one of Python's most powerful features — they let you wrap functions with reusable logic without modifying the original. This guide explains how they work from first principles, builds several practical decorators (timing, caching, authentication), and covers class-based decorators and decorator factories.
Read More