Authentication is a core component of Identity and Access Management (IAM). It has been a leading area of research and product development for decades because basic legacy username/password-based authentication systems are inherently insecure and suffer from usability issues. Password resets are expensive, too.
Various annual surveys show that password compromises are associated with between 70-80% of data breaches while user surveys consistently show that >75% of users want non-password alternatives. For years, security practitioners have advocated for the use of “stronger” passwords in an attempt to thwart the growing problem of compromised passwords. Increasing the length of passwords, adding special characters, and recommending the use of phrases instead of words have been common tactics. However, these do not overcome the user centric problems of having to remember passwords and navigate numerous logins. And all the while password cracking tools used by hackers are evolving.
Strong authentication is usually defined as a combination of at least two of the following factors: something you have, something you know, or something you are. For situations demanding better security, 2-factor cryptographic-based devices such as smartcards and hardware tokens have been used, particularly for enterprise solutions. However, these can suffer from usability and account recovery issues. Occasionally 2-factor authentication systems are broken when the underlying cryptography is broken. Two-factor authentication systems are also generally more expensive, and thus not economically practical for many consumer-facing scenarios, but better for enterprises.
Two-factor and MFA methods have strengths and weaknesses and can adhere to relevant standards. Vendors of IAM and Privileged Access Management (PAM) solutions and Identity providers will use some or all of these with varying levels of success. To understand how identity management works within an organization it is useful to understand how widely used authentication protocols work within an access management architecture to ensure that users and entities access the resources they need to get work done. Finally, selecting appropriate authentication solutions requires understanding business and regulatory requirements as well as current and to-be security portfolios and architectures.