Verifies that a user, device, or service is the identity it claims to be before access is granted.
Authentication is the process of verifying identity. In plain language, it is how a system checks that a user, device, or service really is who or what it claims to be before any access decision continues.
Authentication matters because most other identity controls depend on it. If a system cannot reliably establish who is signing in, then later controls such as access policies, audit trails, and session monitoring lose much of their value.
It also matters because weak authentication is a common starting point for real breaches. Stolen passwords, weak recovery flows, poorly protected service identities, and reusable tokens can all undermine otherwise strong infrastructure.
Authentication appears in workforce login flows, customer portals, cloud consoles, VPN access, API gateways, service-to-service trust, and endpoint enrollment. A user might authenticate with a passkey, a workload might authenticate with a certificate, and an administrator might need a phishing-resistant hardware-backed factor.
Security teams also review authentication during architecture reviews and incident response. They ask how identity is verified, which methods are allowed, and how suspicious or compromised sessions are handled.
| Concept | Core question | Typical moment |
|---|---|---|
| Identity Proofing | Should this claimed identity be trusted in the first place? | Enrollment, recovery, escalation |
| Authentication | Is this user, device, or service really the claimed identity right now? | Sign-in or session establishment |
| Authorization | What is this authenticated identity allowed to do? | After identity is established |
An employee signs in to a company portal with a username, password, and device-bound second factor. The portal first authenticates the employee through the identity provider. Only after that succeeds does the system evaluate which applications and data the employee may use.
Authentication is not the same as Authorization. Authentication answers “Who are you?” Authorization answers “What are you allowed to do?”
It is also broader than passwords. Authentication can use passwords, hardware-backed factors, certificates, passkeys, or other methods depending on the system and the required assurance level.
Successful authentication does not prove the account is safe forever. Sessions, tokens, recovery paths, and revocation controls still matter after login.