Authentication

Rédigé par David Brulin, co-fondateur de Quai des Balises

Authentication is the process of verifying that a user, device, or service is who or what it claims to be before granting access to a system. It relies on one or more factors—something you know, have, or are—and answers a single question: is this identity genuine?

The three authentication factors

Authentication methods are grouped into three categories, called factors. A method's strength depends on which factor it uses and how hard that proof is to steal or copy.

Knowledge (something you know): passwords, PINs, security questions, passphrases. The most common factor, but also the most exposed to phishing, reuse, and credential leaks.
Possession (something you have): a physical security key (FIDO2/WebAuthn), a smartphone receiving a one-time code, a hardware token, or an authenticator app generating time-based codes (TOTP).
Inherence (something you are): biometrics such as fingerprint, facial recognition, or voice. Tied to the individual, but cannot be changed if compromised.

A method that combines two or more distinct factors is called multi-factor authentication (MFA). Two-factor authentication (2FA) is the most widespread form. Combining a password with a code from an authenticator app is far harder to bypass than either factor alone, because an attacker would need to compromise two independent channels.

Authentication vs. authorization

Authentication and authorization are distinct steps that are often confused. Authentication confirms identity; authorization decides what that verified identity is allowed to do. Authentication always comes first—a system must know who you are before it can determine your permissions.

Aspect	Authentication	Authorization
Question answered	Who are you?	What are you allowed to do?
Purpose	Verify identity	Grant or deny access to resources
Order	Happens first	Happens after authentication
Typical mechanisms	Passwords, MFA, biometrics, certificates	Roles, permissions, access control lists, scopes
Visible to user	Yes (login screen)	Usually invisible (enforced server-side)

In a business application, a user authenticates once at login, then the authorization layer determines whether they can view a report, edit a record, or access an admin panel. Keeping the two layers separate is a core principle of secure software design.

Authentication in custom software

In a custom application—ERP, CRM, or a business platform—authentication is rarely built from scratch. Teams typically rely on proven standards and protocols rather than reinventing identity handling, which is error-prone and a frequent source of security flaws.

Session-based authentication: the server creates a session after login and tracks it with a cookie. Common in traditional server-rendered applications.
Token-based authentication: the server issues a signed token (such as a JWT) the client sends with each request. Widely used for APIs and decoupled front-ends.
OAuth 2.0 and OpenID Connect: delegated standards that let users sign in through an existing provider and let applications access resources on their behalf.
Single sign-on (SSO): one authentication grants access to multiple connected applications, common in enterprise environments.
Passwordless and WebAuthn: authentication based on security keys or device biometrics, removing passwords from the flow entirely.

Good practice includes hashing stored passwords with a strong, salted algorithm, never storing them in plain text, enforcing MFA on sensitive accounts, and rate-limiting login attempts to slow brute-force attacks.

Questions fréquentes

Authentication verifies who you are, while authorization determines what you are allowed to do. Authentication always happens first: the system confirms your identity at login, then the authorization layer decides which resources and actions are available to you. They are separate concerns and should be handled by separate parts of an application.

Multi-factor authentication requires two or more independent proofs of identity from different factor categories, such as a password combined with a code from an authenticator app. Because an attacker would need to compromise multiple separate channels, MFA is significantly harder to bypass than a password alone and is now standard practice for protecting sensitive accounts.

The three factors are knowledge (something you know, like a password or PIN), possession (something you have, like a security key or phone), and inherence (something you are, like a fingerprint or face). Strong authentication combines factors from at least two of these distinct categories.

Biometrics are convenient and tied to the individual, making them hard to share or guess. However, unlike a password, biometric data cannot be changed if it is ever compromised. For this reason, biometrics are best used as one factor within multi-factor authentication rather than as a sole means of verifying identity.

Building a custom software project? We design bespoke software aligned with your roadmap.

See our custom software expertise

Définitions liées

← Retour au glossaire