Authentifizierung (Authentication)
The identity verification process: Anyone who claims to be someone must prove it—through something they know (password), have (token), or are (biometrics).
Authentication is the process by which a system verifies and confirms the claimed identity of a user, device, or service. It is the gatekeeper of every IT security architecture.
Authentication vs. Authorization vs. Authentication
These three terms are often confused:
| Term | Meaning | Example |
|---|---|---|
| Authentication | The user claims an identity (proves their identity) | "I am Max Müller, here is my password" |
| Authentication | The system verifies the claimed identity | System checks: Does the password match "Max Müller"? |
| Authorization | Granting of permissions after successful identity verification | Max Müller has access to folder X, but not to Y |
In practice, "authentication" and "authentication" are often used interchangeably—both refer to the login process. Technically speaking: The user authenticates themselves; the system authenticates them.
The Three Authentication Factors
All authentication methods are based on one or more of these factors:
1. Knowledge (Something you know):
- Password, PIN, security question
- Weakest factor—passwords can be stolen, guessed, or leaked
2. Possession (Something you have):
- Hardware token (YubiKey, RSA SecurID)
- Smartphone (TOTP app such as Google Authenticator)
- Smart card, bank card reader
- Stronger than knowledge—the token must be physically present
3. Being (Something you are):
- Fingerprint, facial recognition, iris scan, voice recognition
- Biometric characteristics are immutable and cannot be shared—but also cannot be reset if compromised
Authentication Methods
Password Authentication:
- Standard, widely used, well understood
- Weaknesses: Password reuse, weak passwords, credential stuffing
- Best practice: Minimum length of 12+ characters, password manager, no password reuse
Multi-factor authentication (MFA): Combination of at least two different factors. Significantly more secure than single-factor authentication.
TOTP (Time-based One-Time Password):
- App generates a new 6-digit code every 30 seconds (RFC 6238)
- Protects against password replay attacks
- Does NOT protect against AiTM phishing (attacker redirects in real time)
FIDO2 / Passkeys (phishing-resistant):
- Uses asymmetric cryptography
- Private key never leaves the device
- Server stores only the public key
- No password transmitted – phishing does not work
- BSI and NIST recommend FIDO2 as the most secure authentication method
Biometrics:
- Increasingly widespread (Face ID, Touch ID, Windows Hello)
- Advantage: User-friendly, no password required
- Risk: Biometric data cannot be reset; deepfake attacks are on the rise
Certificate-based Authentication:
- PKI certificate as proof of identity
- Commonly used for machine identities (mTLS), VPN clients, SSH connections
Authentication Attacks
Brute Force: Automated trial-and-error testing of all password combinations.
- Countermeasure: Account lockout, rate limiting, CAPTCHA
Credential Stuffing: Testing stolen password lists from data breaches at other services.
- Countermeasure: MFA, HIBP monitoring, password spray detection in SIEM
Pass-the-Hash: Windows attack that uses NTLM hashes directly for authentication—without a plaintext password.
- Countermeasure: Kerberos instead of NTLM, Protected Users Group, EDR
AiTM Phishing (Adversary-in-the-Middle): Phishing kit acts as a proxy and intercepts session cookies—bypasses TOTP MFA.
- Countermeasure: FIDO2/Passkeys (phishing-resistant)
Social Engineering: User is tricked into revealing credentials or MFA codes.
- Countermeasure: Security awareness training, FIDO2
Authentication Standards and Protocols
- OAuth 2.0: Authorization framework for delegated access ("Sign in with Google")
- OpenID Connect (OIDC): Identity layer over OAuth 2.0 for authentication
- SAML 2.0: Enterprise standard for single sign-on (SSO)
- Kerberos: Ticket-based protocol in Active Directory environments
- RADIUS: Network authentication protocol (VPN, Wi-Fi)
- LDAP: Directory protocol with authentication functionality (often with Active Directory)
Compliance Requirements
NIS2 (Art. 21): Multi-factor authentication mandatory for all privileged access.
ISO 27001 A.9: Access control and authentication requirements defined in Annex A.
BSI IT-Grundschutz ORP.4: Identity and authorization management with MFA requirements.
PCI DSS 4.0: MFA mandatory for all access to the Cardholder Data Environment (CDE).
Cyber insurance: Almost all cyber insurance policies require MFA for privileged accounts as a minimum requirement for coverage.
