Authentication is evidence of an alleged property of an entity. To do this, the user authenticates himself on the system, who in turn authenticates him. Authentication is possible using various methods. There are three common ways:
- Proof of knowledge of information (knowledge), such as a password.
- Using a property, like a key.
- Biometrics, e.g. fingerprint.
Knowledge can of course be forgotten, distributed, passed on and betrayed. Knowledge can also possibly be guessed, for example through information in social networks that the user himself gives away. Carrying on knowledge does not require any tools, although password managers are quite useful. Typical examples of knowledge are passwords, PINs and security questions.
It costs money to create property, and you also need a fallback if it is lost, broken or stolen. Depending on which property you choose, it can also protect itself. Examples of this are chip cards, RFID cards, physical keys, SIM cards, certificates and much more.
The third one is biometrics, i.e. personal characteristics that everyone carries around with them and that determine them. Biometrics cannot be passed on to other people, but it usually requires additional hardware to authenticate with it. In addition, some features can be difficult or impossible to recognize for a short time or for a long time, for example due to accidents or also due to FFP2 masks. Biometric methods for authentication include fingerprints, face recognition, typing behavior and voice recognition.
The combination of methods is also known as multi-factor authentication. Often two methods are then combined, also known as two-factor authentication. A suitable combination of methods can reduce their deficits, usually lower security. At the same time, this results in higher costs and effort.
Not all methods are considered equally good. Daniel Miessler gives a brief overview of methods and their attack vectors.