---
title: "Authentication Log — AP Cybersecurity Definition & Exam Guide"
description: "An authentication log records every login attempt to a system, and reading it is how you spot the signs of an online password attack in AP Cybersecurity Unit 1."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/authentication-log"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 1"
---

# Authentication Log — AP Cybersecurity Definition & Exam Guide

## Definition

An authentication log is a record of login attempts to a device or service, including who tried to log in, when, and from where. In AP Cybersecurity, it's the evidence you read to detect signs of an online password attack, like many failed logins in a short time.

## What It Is

An authentication log is basically the security [camera](/ap-cybersecurity/unit-2/detecting-physical-attacks/study-guide/Kb72LoynxAj68H4P71eN "fv-autolink") footage for logins. Every time someone tries to access a device or service, the system writes down a line: the account name, the time, the device or location, and whether the attempt succeeded or failed.

In [AP Cybersecurity](/ap-cybersecurity "fv-autolink"), you care about this log because it's where the **signs of an [online password attack](/ap-cybersecurity/key-terms/online-password-attack "fv-autolink")** show up (EK 1.2.A.2). An adversary trying common passwords, common patterns, or stolen credentials will leave a trail. The log turns invisible attacker behavior into something you can actually see and flag. If you don't keep the log, you have no way to prove a suspicious login ever happened.

## Why It Matters

This term lives in **[Unit 1](/ap-cybersecurity/unit-1 "fv-autolink"): Introduction to Security**, specifically [topic 1.2](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN "fv-autolink") Suspicious Website Logins. It's the practical backbone of **AP Cybersecurity 1.2.A**, which asks you to identify common signs of a password attack. Those signs are literally patterns in an authentication log: many failed login attempts over a short duration, login attempts at unusual times, and login attempts from unknown devices (EK 1.2.A.1, EK 1.2.A.2). Reading a log is how you connect attacker tactics from 1.2.B (dictionary-based guessing) to the defenses in 1.2.C (strong passwords and MFA). It's the detection side of the same coin as prevention.

## Connections

### [Online Password Attack (Unit 1)](/ap-cybersecurity/key-terms/online-password-attack)

An online password attack is the thing an authentication log is built to catch. Because the attacker has to actually submit guesses to the live login system, every attempt gets recorded, which is why a flood of failed logins in the log is your biggest red flag.

### Brute Force and Dictionary Attacks (Unit 1)

These automated attacks fire off huge numbers of password guesses, so they show up in the log as many rapid failed attempts from the same source. The log's timing and frequency data is exactly what distinguishes an automated tool from one tired person fat-fingering their password.

### [Multifactor Authentication (Unit 1)](/ap-cybersecurity/key-terms/multifactor-authentication)

If a log shows a login from an unknown device, MFA is the reason a correct password alone still won't get the attacker in. The log tells you an attack happened, and MFA (EK 1.2.C.3) is the layer that makes that attempt fail anyway.

## On the AP Exam

Expect this in MCQ stems that describe a scenario and ask you to identify what's suspicious. A question might list an account with dozens of failed logins at 3 a.m. from an unfamiliar device and ask what's happening. Your job is to read those log details and match them to the signs of an online password attack from EK 1.2.A.2. No released FRQ uses the phrase "authentication log" verbatim, but the skill of reading login evidence to diagnose an attack is core to topic 1.2, so be ready to explain WHICH log details point to an attack and why.

## authentication log vs online password attack

An online password attack is the action the adversary takes, repeatedly trying to log in to a live service. An authentication log is the record that captures those attempts. One is the crime; the other is the evidence. You detect the attack BY reading the log.

## Key Takeaways

- An authentication log records every login attempt, including the time, the device, and whether it succeeded or failed.
- The three classic log warning signs are many failed attempts in a short time, logins at unusual hours, and logins from unknown devices (EK 1.2.A.2).
- Online password attacks are detectable in logs because the attacker must submit guesses directly to the live login system.
- Reading a log connects attacker tactics in 1.2.A and 1.2.B to the defenses you recommend in 1.2.C.
- MFA can stop an attacker even when the log shows they had the right password, because it demands a second proof of identity.

## FAQs

### What is an authentication log in AP Cybersecurity?

It's a record of login attempts to a device or service, showing who tried, when, from where, and whether it worked. You read it to spot the signs of an online password attack covered in topic 1.2.

### Can an authentication log actually stop a password attack?

No, by itself it only detects, it doesn't block. The log shows you suspicious activity like a burst of failed logins, but you still need defenses like strong passwords and MFA (EK 1.2.C) to actually stop the attacker.

### How is an authentication log different from an online password attack?

The online password attack is the attacker repeatedly trying passwords against a live service. The authentication log is the evidence trail those attempts leave behind. You catch the attack by reading the log.

### What signs in a log mean someone is being attacked?

Look for many failed login attempts over a short duration, login attempts at unusual times, and login attempts from unknown devices. Those three patterns from EK 1.2.A.2 are the giveaways.

### Would an offline password attack show up in an authentication log?

Usually not, and that's the key difference. Offline attacks crack a stolen password file on the attacker's own machine, so there are no live login attempts to record, which is exactly why online attacks are easier to detect.

## Related Study Guides

- [1.2 Suspicious Website Logins](/ap-cybersecurity/unit-1/suspicious-website-logins/study-guide/zppDvyHLHIUFzT3MNwAN)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/authentication-log#resource","name":"Authentication Log — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/authentication-log","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/authentication-log#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:27.783Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/authentication-log#term","name":"authentication log","description":"An authentication log is a record of login attempts to a device or service, including who tried to log in, when, and from where. In AP Cybersecurity, it's the evidence you read to detect signs of an online password attack, like many failed logins in a short time.","url":"https://fiveable.me/ap-cybersecurity/key-terms/authentication-log","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.2, LO 1.2.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.2, LO 1.2.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 1, Topic 1.2, LO 1.2.C"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is an authentication log in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's a record of login attempts to a device or service, showing who tried, when, from where, and whether it worked. You read it to spot the signs of an online password attack covered in topic 1.2."}},{"@type":"Question","name":"Can an authentication log actually stop a password attack?","acceptedAnswer":{"@type":"Answer","text":"No, by itself it only detects, it doesn't block. The log shows you suspicious activity like a burst of failed logins, but you still need defenses like strong passwords and MFA (EK 1.2.C) to actually stop the attacker."}},{"@type":"Question","name":"How is an authentication log different from an online password attack?","acceptedAnswer":{"@type":"Answer","text":"The online password attack is the attacker repeatedly trying passwords against a live service. The authentication log is the evidence trail those attempts leave behind. You catch the attack by reading the log."}},{"@type":"Question","name":"What signs in a log mean someone is being attacked?","acceptedAnswer":{"@type":"Answer","text":"Look for many failed login attempts over a short duration, login attempts at unusual times, and login attempts from unknown devices. Those three patterns from EK 1.2.A.2 are the giveaways."}},{"@type":"Question","name":"Would an offline password attack show up in an authentication log?","acceptedAnswer":{"@type":"Answer","text":"Usually not, and that's the key difference. Offline attacks crack a stolen password file on the attacker's own machine, so there are no live login attempts to record, which is exactly why online attacks are easier to detect."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 1","item":"https://fiveable.me/ap-cybersecurity/unit-1"},{"@type":"ListItem","position":4,"name":"authentication log"}]}]}
```
