Most of us ignore authentication because it is seamless with us using our Active Directory username to log onto a domain-joined Windows 10 PC. But when we expand beyond Windows, there are so many other things to consider.
I avoided learning about authentication for a long time. So many technologies. So many acronyms. So many options. I felt like I needed to start learning more about authentication.
Most of us see authentication as a big, scary, ugly thing that we want to avoid the details, but those details can help in understanding how all of these different authentication options fit into the bigger picture.
For instance, I keep hearing people talk about MFA and how we all need MFA. I keep thinking “Awesome, I’m all for supporting the Minnesota Frisbee Association“. They are the oldest flying disc club in the United States, by the way.
Really, people are often referring to Multi-Factor Authentication. What is MFA? How does it work?
I can’t tell you how MFA works because MFA is not a product. MFA is a term for authentication when we use more than 1 factor. But this is a huge topic and one for future blogs. Before we can talk about the really interesting things with MFA options, we need to understand the basics.
The basis for authentication is the user’s identity… In the computer-world, this typically refers to your username.
How many do you have?
More than you think. I’ve counted 177 unique identities for myself, and I know I am missing many. A unique identity is not simply different usernames, like ChuckN or MaxP, because many of us will use the same username across many systems. A unique identity is equates to each username contained within a different identity data store (database).
- I have my international travel identity in the form of a passport. That identity is stored by the US State Department.
- I have a local identity in the form of a driver’s license. That identity is stored by the Department of Motor Vehicles for my state.
- I have the identity tied to my debit card, where the identity is stored by the bank.
- I have a Twitter identity (@djfeller) which is stored in Twitter’s identity data store.
I have an Active Directory identity which is stored in Active Directory’s data store (NTDS.DAT).
- I even had a Blockbuster video rental membership card, which was stored in Blockbuster’s internal database (I’m thinking that identity is no longer useful).
Your identity (credit card, driver’s license, passport or username) is stored in some identity data store.
Somehow, we need to have our identity verified against the identity data store. We aren’t going to give people direct access to the data store (talk about series security ramifications), so we have a system sitting between the identity and data store: the Identity Provider (IdP).
An IdP takes our identity and validates it against the identity data store.
- I present my driver’s license (identity) to the bouncer (IdP) at the local bar who validates with his eyes (data store). This is probably not a very secure or trustworthy IdP).
- I present my passport (identity) to the TSA agent (IdP) at the airport which verifies the identity against the US State Department (data store)
- I present my bank card (identity) to the ATM machine (IdP) which validates against my bank (data store)
- I present my domain username (identity) to Active Directory (IdP) which validates against the data store (NTDS.DIT)
So this is pretty basic stuff, and you are probably wondering why you just wasted your time on this. Because we need to understand the basics before we focus on how we provide proof that our identity belongs to us in the form of passwords, 2-step verification, one-time passwords, time-base one-time passwords, biometrics, password managers, SAML, FIDO and so many others.
This is why authentication gets confusing. There are so many ways to do it and each has little nuances the impact the user experience and security. Stay tuned for more as I continue learning about different ways to authenticate.
Authentication Blog Series: