Study smarter with Fiveable
Get study guides, practice questions, and cheatsheets for all your subjects. Join 500,000+ students with a 96% pass rate.
Authentication is the gatekeeper of cybersecurity—it's how systems answer the fundamental question: "Are you really who you claim to be?" When you're tested on this topic, you're not just being asked to list methods. You're being evaluated on your understanding of security trade-offs, attack vectors, and the layered defense strategies that protect everything from your email to critical infrastructure. The methods you'll study here demonstrate core principles like defense in depth, the authentication factor model, and the tension between security and usability.
Don't just memorize what each method does—know why it exists and what threats it addresses. Understanding that passwords fail against credential stuffing while biometrics fail against replay attacks tells examiners you grasp the bigger picture. Each authentication method represents a different answer to the same problem, and knowing when to deploy each one is what separates textbook knowledge from real-world security thinking.
These methods rely on something the user knows—secrets stored in memory rather than physical devices or biological traits. They're the oldest form of digital authentication and remain ubiquitous despite well-documented vulnerabilities.
Compare: Password-based authentication vs. Security questions—both rely on something you know, but passwords are chosen secrets while security questions often use discoverable facts. If an FRQ asks about knowledge-based vulnerabilities, credential stuffing targets passwords while social engineering targets security questions.
Multi-factor authentication combines elements from different factor categories: something you know, something you have, and something you are. The security principle here is defense in depth—compromising one factor shouldn't grant access.
Compare: 2FA vs. MFA—2FA is technically a subset of MFA limited to exactly two factors. The distinction matters: MFA policies may require three or more factors for privileged access, while 2FA sets a minimum baseline. Know that "MFA" in enterprise contexts often implies stricter requirements than basic 2FA.
These methods verify identity through something the user has—a physical device or digital credential that must be present during authentication. The security assumption is that attackers cannot easily obtain or duplicate the possession factor.
Compare: Hardware tokens vs. Digital certificates—both are possession factors, but tokens generate ephemeral codes while certificates use persistent cryptographic keys. Certificates scale better for machine-to-machine authentication; tokens are preferred for human users who might lose devices.
Biometric methods authenticate based on something you are—unique physiological or behavioral characteristics. The key trade-off is convenience versus irrevocability: you can't reset your fingerprint like you can reset a password.
Compare: Biometrics vs. Passwords—biometrics can't be forgotten or shared, but they also can't be changed after a breach. Passwords are revocable but forgettable. This trade-off between irrevocability and convenience is a common exam topic when discussing authentication factor selection.
Federated authentication separates the identity provider (IdP) from the service provider (SP), allowing users to authenticate once and access multiple services. The underlying principle is trust delegation—services trust the identity provider's assertions rather than managing credentials themselves.
Compare: OAuth/OIDC vs. SAML—both enable federated identity, but SAML uses XML and is enterprise-focused while OAuth/OIDC uses JSON and dominates consumer and API authentication. SAML handles authentication natively; OAuth requires OIDC for identity (OAuth alone is authorization-only).
These protocols handle authentication in distributed network environments, solving the challenge of verifying identity across untrusted networks without transmitting passwords in cleartext.
Compare: Kerberos vs. Certificate-based authentication—Kerberos uses symmetric keys and a centralized KDC, while certificates use asymmetric cryptography and distributed trust via CAs. Kerberos excels in controlled enterprise networks; certificates scale better across organizational boundaries.
| Concept | Best Examples |
|---|---|
| Knowledge factors (something you know) | Password-based authentication, Security questions |
| Possession factors (something you have) | Token-based authentication, Certificate-based authentication, Hardware tokens |
| Inherence factors (something you are) | Biometric authentication (fingerprint, facial, iris) |
| Multi-factor strategies | 2FA, MFA |
| Federated identity | SSO, OAuth/OIDC, SAML |
| Network protocols | Kerberos |
| Enterprise-focused solutions | SAML, Kerberos, Certificate-based authentication |
| Consumer-focused solutions | OAuth/OIDC, Biometrics, SMS-based 2FA |
Factor comparison: Which two authentication methods both qualify as "possession factors," and what distinguishes how they prove possession?
Vulnerability analysis: A user's password is compromised in a data breach. Explain why 2FA with an authenticator app protects them while 2FA with security questions might not.
Protocol selection: An enterprise needs to implement SSO across both internal Windows applications and external cloud services. Compare SAML and Kerberos—which would you recommend for each use case and why?
Trade-off analysis: Compare the security and usability trade-offs between biometric authentication and token-based authentication. Under what circumstances might biometrics actually be less secure?
FRQ-style prompt: A company wants to implement authentication for a new mobile banking app. Describe how you would layer multiple authentication methods, identifying which factor category each represents and what specific threats each layer mitigates.