Authentication Protocols 101: Definition, Types, and When to Use
Authentication is the process of confirming that a user is who that person claims to be. An authentication protocol is the method you use to accomplish that task.
Several authentication protocols exist. None are 100 percent foolproof. Choose your method carefully, however, and you will reduce the risk of hacking and data theft.
What are authentication protocols?
An authentication protocol allows the receiving party (such as a server) to verify the identity of another party (such as a person using a mobile device to log in). Almost every single computer system uses some kind of network authentication to verify users.
As more critical information is stored electronically, and as hackers become more and more adept at theft, authentication becomes more important. Without it, losses can be significant. For example, Deloitte experienced a data breach in 2017 that exposed client email (including some tied to government agencies). Authentication may never keep your information perfectly secure. But it can make theft harder to accomplish. Hackers may move to a different target if your servers are too difficult to penetrate.
Types of authentication protocol
IT administrators have plenty of options available to them. We'll list a few here, but know there are many more.
The five most common authentication methods companies use include the following:
- Kerberos: If you work within the Windows environment, you've used this protocol. The system leans on symmetric keys pulled from a centralised key distribution centre. While the protections are significant, Kerberos isn't perfect. In 2020, Kerberos stopped working after a system update.
- LDAP: As we explained in a recent blog post, companies store usernames, passwords, email addresses, printer connections, and other static data within directories. LDAP is an open, vendor-neutral application protocol for accessing and maintaining that data.
- OAuth 2.0: If you've ever used a login from another site (like Facebook) to get into a new site (like The New York Times), you've used OAuth 2.0. An application pulls resources on your behalf, and you don't have to share credentials. This system can also be hacked, as GitHub discovered in 2020.
- Remote authentication dial-in user service (RADIUS): You provide a username and password, and the RADIUS system verifies the information by comparing it to data in a database.
- SAML: This XML-based protocol exchanges authentication data between IdPs and service providers.
These are five other types of authentication protocols to know:
- Challenge-Handshake Authentication Protocol (CHAP): This system reauthenticates users periodically, even within the same session. Each challenge is different from the last version.
- DIAMETER: This protocol provides a framework for authentication and accounting messages. It's derived from RADIUS, and it's considered an improvement upon that protocol.
- Extensible authentication protocol (EAP): Wireless networks and point-to-point connections often lean on EAP.
- Password authentication protocol (PAP): A user submits a username and password, which the system compares to a database.
- TACACS: Accomplish IP-based authentication via this system. Later versions of this protocol include encryption.
How to choose among authentication protocols
With so many options, how can you choose the version that's right for you?
Consider your:
- Application needs. What systems and resources require access? How significant or private are they?
- Infrastructure. What protocols can you launch without overhauling your existing system?
- Effort. How much training or programming will you need before you can get started?
- Future. Can the system grow and change with your company?
References
When Two-Factor Authentication Fails: Rethinking the Approach to Identity Security. (February 2018). Forbes.
Windows Kerberos Authentication Breaks Due to Security Updates. (November 2020). Bleeping Computer.
Hackers Stole GitHub and GitLab OAuth Tokens From Git Analytics Firm Waydev. (July 2020). ZDNet.