Authentication Server: Definition, Architecture & Operations

An authentication server manages processes that allow access to a network, application, or system.

Before connecting with a server, users must prove that they are who they say they are. An authentication server handles this delicate work. 

You can embed authentication servers within switches, dedicated computers, or network servers. They can use out-of-the-box software, or they can run on custom code written for your organisation. 

No matter how you set up and deploy them, these servers have a vital role to play in keeping your critical assets safe and protected. 

What is an authentication server?

Is a person visiting your server an imposter? Or is this person someone you both know and trust? Authentication answers those questions. 

Authentication typically begins with a password. Most of us have between 70 and 80 of them, and we're very familiar with what they are and how they work. When we visit sites, we pair passwords with usernames to gain entry. 

Authentication servers can tackle this username/password combination via one of two methods:

  • Single-factor: When the user enters the correct data in both fields, authentication is complete. In this case, the password is the one factor the server verifies. 
  • Multi-factor: The correct username/password combination isn't enough. The site requires one more step to complete authentication. That may involve sending a temporary passcode to a linked device, using a Yubikey, or other methods

Single-factor systems seem simple for users. But it can be hard to remember all of our username/password combinations. Experts recommend using an electronic password manager to lighten the workload. But some users simply reuse the same data from website to website. A hacker with access to the right combination could log in on multiple sites. 

Multi-factor authentication is more secure, as people must jump through two hoops to enter. More than half of all enterprise companies use this method to secure their sites, and more embrace the technology each year.

How does an authentication server work? 

The process of verifying a person's right to access a file happens very quickly. Most users don't notice the delay. But plenty of steps are happening behind the scenes. 

In a single-factor authentication site, the process looks like this:

  1. The user enters a username and password. The site encrypts (or scrambles) that data and sends it to the server. 
  2. The server decrypts (or unscrambles) the data and compares it to information listed in the database. 
  3. If the items entered match a saved combination, authentication is complete. 

More steps are involved in a multi-factor authentication process:

  1. The user enters a username and password. The site encrypts the data and sends it to the server. 
  2. The server decrypts the data and compares it to information saved in the database. 
  3. If the server finds a match, it creates a one-time password that it sends back to the user. A text message sent to a cellphone on file or a note to a key in the user's possession would work. The server creates an open window, ready to accept the one-time password. 
  4. The user receives and enters that one-time password. Authentication is complete. 

Plenty of authentication protocols exist, including Kerberos, RADIUS, and Microsoft NTLM. They all use slightly different technology and coding types. But each one moves users through the steps we've described above. 

Authentication vs. authorisation: What's the difference?

It's easy to confuse two terms that look very similar and that people often use in concert. But it's critical to understand what sets authentication and authorisation apart. 

Put simply, authentication involves verifying a person's identity. Authorisation involves verifying what that user should and should not access. 

An authentication server handles the first step. When the server's work is complete, the person's identity is confirmed. But the authentication server must then work with an authorisation server. This tool releases an access token, opening up the appropriate permissions. 

An example from the physical world might make this relationship clear. Imagine that you're attending a conference of security professionals. When you arrive, you provide your name and email address, and the organisers check that data against a list of registered users. You've moved through authentication.

Then the team looks over the sessions you've registered for and the payments you've made. With that complete, they give you a badge and tickets for various events. You've moved through authorisation and can do what you need to do at the conference. 

Most websites pair authorisation and authentication. For example, colleges use these systems to give students website logins while blocking them from seeing data from their peers.

Learn more about security with Okta

Should you use single-factor authentication? Or do you need the safety only multi-factor authentication can provide? Where should your server sit within your company's architecture?

Security teams have plenty of questions, and it's not always easy to find the answers. Find out how we can help you with multi-factor authentication, user authentication, and more.


New Research: Most People Have 70-80 Passwords. (February 2020). Newswire. 

Study Reveals Average Person Has 100 Passwords. (October 2020). Tech.Co. 

More Enterprises Use Multi-Factor Authentication to Secure Passwords. (October 2019). Security. 

Understanding and Selecting Authentication Methods. (August 2001). TechRepublic. 

Understanding Authentication, Authorisation, and Encryption. Boston University.