The Plain English Version
Authentication is proving you are who you claim to be. When you log in with a username and password, you are authenticating - proving your identity to gain access to a system.
It is the first step in security: before deciding what you can access (authorisation), the system needs to know who you are (authentication).
Authentication vs Authorisation
Authentication: Who are you? Verifying identity.
Authorisation: What can you do? Determining permissions.
You must authenticate before you can be authorised. They work together but are different concepts.
Authentication Factors
- Something you know - Passwords, PINs, security questions
- Something you have - Phone, hardware token, smart card
- Something you are - Fingerprint, face, voice
- Somewhere you are - Location-based verification
Using multiple factors (MFA) dramatically improves security. If one factor is compromised, attackers still need the others.
Why Passwords Are Not Enough
Passwords are the weakest form of authentication. People reuse them, choose weak ones, fall for phishing, and they get stolen in breaches. Password-only authentication is increasingly inadequate for business systems.
This is why MFA is now essential - and required by frameworks like Cyber Essentials for cloud services.
Modern Authentication
The trend is toward passwordless authentication - using biometrics, hardware keys, or authenticator apps instead of passwords. This is more secure and often more convenient. Technologies like passkeys are making this mainstream.