Authentication.
The process of verifying that a person, service, or device is who or what it claims to be, typically by presenting a credential the verifier can check.
Authentication is the most-overloaded word in identity. In casual use it means "logging in"; in spec language it means specifically the credential-verification step, separate from the session creation that follows it. When in doubt, when someone says "authentication" check whether they mean (a) the credential check, (b) the full login flow, or (c) the broader identity system — the three are routinely conflated and the gap produces real bugs at integration boundaries.
The three classical factors are something you know (password, PIN), something you have (phone, security key), and something you are (biometric). NIST SP 800-63-4 (2024) reframes the question around assurance levels (AAL1, AAL2, AAL3) rather than counting factors, because the security of a factor matters more than the count of factors — SMS OTP plus password is technically two factors and no longer meets AAL2.
Common questions
What is the difference between authentication and authorization?
Is MFA the same as authentication?
What are the three factors of authentication?
Related terms
In the guides
Authentication vs Authorization: The Difference, Explained Properly
Authentication answers 'who are you'; authorization answers 'what may you do'. The split is structural, the confusion is endless, and the integration bugs hide in the gap.
Multi-Factor Authentication (MFA): A 2026 Practitioner's Guide
How to roll out MFA in CIAM in 2026: factor selection, adoption, recovery design, anti-patterns, and where SMS OTP no longer meets the standard.
Passwordless Authentication: A 2026 Practitioner's Guide
How passkeys, magic links, and biometrics replace passwords in CIAM, with implementation patterns, adoption data, and vendor support.