Authentication refers to the efforts a party makes to verify another’s claim, such as a person’s claim to their identity. In technology, authentication is means taking steps to answer the question of, Am I who I say I am?
Authentication can be done using different methods by the verifying party, meaning the person or entity that is granting access. These are firsthand knowledge of the outside party, or comparing attributes based on what is known barring direct knowledge, or using documentation to support the claims. When authenticating users to an online service, direct knowledge is unrealistic so the best efforts are taken to verify that the credentials a person has are the ones given by the system administrators. Hence, authentication to online services is not foolproof.
To authenticate a person, the service verifies a user who is required to present one or more of three authentication factors: knowledge, or something the user knows; possession, or something the user has; or inherence, something the user is or is unique to the user (biometrics). Strong authentication is authentication with more than one layer, or factor, of authentication. By definition, strong authentication includes two-factor authentication (2FA) or multi-factor authentication (MFA).
Another form of authentication is continuous authentication which uses contextual information on the user and circumstances, all measured against the risk at hand. Contextual inputs include device data, geolocation, time of day, and others. With continuous authentication, if the user’s baseline attributes are verifiable to begin a session based on context, they are granted access. But if the user wants to perform riskier tasks during the session, they are prompted to present additional factors. This is called step-up authentication.
“Logging into a social account is fast and easy, since the platform only requires a username and password. I hear they’re changing their authentication mode to 2FA. How’s that going to affect my login experience?”