What are Authentication Protocols?
Authentication protocols are used to manage users’ access to various resources. They are designed to achieve the goals of Authentication, Authorization, and Accounting (AAA).
What is AAA?
Authentication protocols are designed to implement identity and access management (IAM). The three core tasks of IAM include:
- Authentication: As their names suggest, authentication protocols are designed to perform authentication of a user’s identity. This involves verifying that the user is who they claim to be so that the system can apply the appropriate profile and permissions to the user’s request.
- Authorization: Authorization is the process of verifying that the user has the right to perform the requested action. This is typically accomplished by comparing the access and permissions assigned to the user to those required to perform the desired action.
- Accounting: If a user is authenticated and granted access to an application, a system may perform ongoing monitoring of their session. This could range from recording the initial request through logging every action that the user takes on the system. These records are helpful for incident response or demonstrating regulatory compliance.
Different authentication protocols are designed to provide different aspects of AAA. For example, a protocol may only be designed to perform Authentication and Authorization but have little or no Accounting functionality.
Common Authentication Protocols
Authentication protocols are designed to communicate authentication data between different systems. This enables an organization or service to rely on a single authentication provider rather than building it into individual applications.
Numerous authentication protocols exist with varying purposes and target platforms. Some of the most widely used protocols include:
- Kerberos: Developed by MIT, the Kerberos authentication protocol relies on the trusted Key Distribution Center (KDC) to verify users’ identities and grant them a ticket that can be presented to an application to provide access.
- Lightweight Directory Access Protocol (LDAP): LDAP uses a directory structure to store information about usernames, passwords, and other information. This information can then be used by Active Directory to authenticate a user’s access to resources.
- Remote Authentication Dial-In User Service (RADIUS): Like Kerberos, RADIUS is an authentication service used to manage access to resources on a network. The RADIUS server centralizes AAA functionality within a single system.
- OAuth2: OAuth2 is a protocol used by websites that allow users to log in via their social media accounts. The Service Provider (Facebook, etc.) will generate an authentication token that it provides to the Consumer (the application the user is trying to access) that validates the user’s identity without them needing to provide credentials to the application.
- Security Assertion Markup Language (SAML): SAML is an XML-based markup language designed for sharing authentication data between identity providers and service providers. It is commonly used by single sign-on (SSO) systems that allow a user to log in once and access multiple applications, services, and systems.
Authentication protocols make it easier to implement IAM by enabling authentication and authorization information to be communicated securely between different software and systems. These protocols are commonly used to implement centralized identity management within an organization or to support SSO on the Web.