Introduction to authentication
Authentication is the act of confirming a user’s identity, for example, by providing a set of credentials.
As part of an access management strategy, authentication is tightly coupled with authorization; usually, not only is it important to confirm that a user is who they say they are, but also to ensure that they can only access a subset of information.
Consider a user who wants to access an online shop. As the owner of the shop, you want to ensure the user identity is confirmed (as it’s tied to their shipping and email addresses and payment information). You also want to ensure that they can only access their own information.
You can deploy a web agent on the web server hosting the online shop. The agent redirects the user’s request to an PingOne Advanced Identity Cloud login page, where the user enters their credentials, such as username and password. PingOne Advanced Identity Cloud determines who the user is, and whether the user has the right to access the protected page. PingOne Advanced Identity Cloud then redirects the user back to the protected page with authorization credentials that can be verified by the agent. The agent allows the user authorized by PingOne Advanced Identity Cloud to access the page.
In the same way, you can also use PingOne Advanced Identity Cloud to protect physical devices connected on the Internet of Things (IoT). For example, a delivery van tracking system could have its proxying gateway authenticate to a brokering system using an X.509 certificate to allow it to enable an HTTPS protocol and then connect to sensors in its delivery trucks. If the X.509 certificate is valid, the brokering system can monitor a van’s fuel consumption, speed, mileage, and overall engine condition to maximize each van’s operating efficiency.
PingOne Advanced Identity Cloud uses authentication nodes and journeys to implement authentication.
PingOne Advanced Identity Cloud creates an authentication session to track the user’s progress through an authentication journey. After the user has authenticated, PingOne Advanced Identity Cloud creates a session to manage the user’s access to resources. To learn more about sessions, refer to Sessions.
Multi-factor authentication
Multi-factor authentication (MFA) is an authentication technique that requires users to provide multiple forms of identification when logging in to PingOne Advanced Identity Cloud.
Multi-factor authentication provides a more secure method for users to access their accounts with the help of a device. Note that the word device is used in this section to mean a piece of equipment that can display a one-time password or that supports push notifications using protocols supported by PingOne Advanced Identity Cloud multi-factor authentication (MFA). Devices are most commonly mobile phones with authenticator applications that support the OATH protocol or push notifications, but could also include other equipment.
The following is an example scenario of multi-factor authentication in PingOne Advanced Identity Cloud:
-
In the Advanced Identity Cloud admin UI, configure an authentication journey to capture the user’s username and password and to create one-time passwords.
-
An end user authenticates to PingOne Advanced Identity Cloud using that authentication journey.
-
PingOne Advanced Identity Cloud prompts the user to enter the username and password—the first factor in multi-factor authentication.
-
If the user ID and password were correct, PingOne Advanced Identity Cloud sends the user an email with a one-time password.
-
The user provides the one-time password to PingOne Advanced Identity Cloud to successfully complete authentication—the second factor in multi-factor authentication.
PingOne Advanced Identity Cloud supports the following multi-factor authentication protocols:
-
MFA: Use codes from ForgeRock app using OATH to enable one-time password authentication.
-
MFA: Authenticate using push notification to receive push notifications in a device as part of the authentication process.
-
MFA: Authenticate using a device with WebAuthn to enable authentication using an authenticator device, such as a fingerprint scanner.