How Does Authentication Work?

by Carson

For data stored in systems to be secure, the user needs to be authenticated before accessing the data. Find out how authentication works in this article.

What Is Authentication?

Every person has information that they do not want to expose to others. Therefore, if their private information is online, they should be kept secure by a mechanism that acts like a lock. That lock is authentication. It is the process of identifying who the person trying to access the information is so that a user can only access the information they need, but not anyone else’s.

There are many ways where a user’s identity can be confirmed, but here are 3 main things to use:

  1. Something you know
  2. Something you have
  3. Something you are

We’ll explain them in the following sections. How authentication works, and the flaws of these methods at the backend and associated with the user later in the article.

The three factors of authentication
Image created using Canva

1. Something You Know

The first method to authenticate a user is the simplest and perhaps the earliest. It is the process where a user types in a secret string of characters, called a password, to an input field that sends the string to the server. If it’s correct, the user logs in. If it’s wrong, the user does not gain access to the account due to this attempt.

2. Something You Have

2-factor authentication is gaining popularity, and most 2FA systems use something you have to authenticate aside from your password. These systems use a secret code accessible using your phone or other devices with an authenticator app. This code is associated with your account and changes regularly. If the user inputs the correct random verification code in the input field, the user logs in. Otherwise, the user does not.

3. Something You Are

Some authentication systems like the Face ID or Touch ID use your inherent properties like your fingerprint or voice. After that, when the user tries to sign in, the body parts that carry the property will be scanned by putting your fingers on a sensor, saying something, or making a gesture, and if it matches the data stored on your device, the user will be logged in.

How to Verify the Identity of a User?

In authentication, user information like passwords can’t just be directly stored on the server to prevent unauthorized access to passwords. Instead, the password goes through a one-way mathematical function called a hash. The hash cannot be computed to obtain its original value unless someone creates a database that associates a string with its hash.

When a user submits a username and a password, the system will hash the password, and see if the hashed password is associated with the username. If it is, the user logs in. If it’s not, the user doesn’t log in.

However, biometric credentials, including fingerprints, cannot be hashed because the exact data will never be reproduced. Instead, the device stores the characteristics of the biometrics involved in a secure place. After that, when it’s time to authenticate, the input will be taken, the specialties will be scanned and compared with the features in the device. If it approximately matches, the user is authenticated.

Flaws of Authentication

However, authentication systems are not perfect. The single condition in which the user will log in if their credentials are correct means outsiders could possibly come in without the legitimate user’s permission. However, some apparent flaws exist in some authentication systems that substantially increase the chances of illegally obtaining the login information. Let’s find out about that in this section.

Firstly, attackers can set up a database and store some arbitrary strings along with their hashes. That way, once a password leak is detected, hackers can conduct a quick lookup on the database and find out the original password. That database is called a rainbow table. Websites should add a random string called a salt to the user’s password to combat these attacks. The salt should be different for every user. That way, the password’s hash that gets in the input field is not equal to the final hash used to identify the user, and the associated entry in the rainbow table will not work.

Adding an addition string to a password can prevent attackers from guessing passwords due to rainbow tables.

Secondly, encryption must be used in an authentication system. Otherwise, users’ login credentials will be easily obtained by eavesdroppers, and they will use it to log in to your account to steal data. Essentially, authentication systems break down without encryption and no longer function properly. Therefore, users must not set up accounts that store sensitive information on websites that don’t use HTTPS.

Additionally, imperfections in authentication may be the user’s fault. For example, some users use extremely weak passwords because they’re easy to remember, but this brings numerous opportunities for attackers to break into their accounts. For the most common passwords like “123456”, they might even be able to guess it by hand. Therefore, users ought to set long and strong passwords to protect their information in their accounts.


In this article, we have mentioned how authentication works and the three factors of authentication. We also mentioned the inherent defects of authentication and how systems and users solve them to reduce the chances of unauthorized access to one’s private data. For more, please visit the websites in the references below.

References and Credits

  1. (n.d.). Understanding Authentication, Authorization, and Encryption. Retrieved January 8, 2022, from
  2. (n.d.). Multi-Factor Authentication (MFA). Retrieved January 8, 2022, from
  3. (2021, December 14). What Are the Three Authentication Factors? Retrieved January 8, 2022, from
  4. Michael Hill. (2021, July 6). Rainbow tables explained: How they work and why they’re (mostly) obsolete. Retrieved January 8, 2022, from

Related Posts

Leave a Comment

* By using this form you agree with the storage and handling of your data by this website.