📌
Software Security
  • README
  • Prerequisites
    • Prerequisites
  • Introduction
    • Cyber security principles
    • Basic web concepts
      • HTTP
      • JavaScript
      • Cookies
      • SQL
      • DOM
      • APIs and the multitier architecture
    • Basic browser security concepts
      • Same-Origin Policy (SOP)
      • Cross-Origin Resource Sharing (CORS)
      • Cookies
      • Tracking
    • Basic security concepts
      • Hashing
  • Access Control: Basics
    • Authentication
      • Passwords
      • Password managers
      • Attacking passwords - online
      • Attacking passwords - offline
    • Authorization
      • Insecure direct object references
    • Session Management
    • CSRF
      • CSRF: why & how it works
      • Protecting against CSRF attacks
    • SSRF
      • SSRF: how it works and how we can protect against it
  • Access Control: Advanced
    • Authentication
      • Federation
      • Alternative authentication mechanisms
      • FIDO2 and WebAuthn
  • Injection attacks
    • Injection attacks
    • SQL Injection
    • Command Injection
    • Cross-site scripting
      • Input validation
      • Context sensitive output encoding
      • About the HttpOnly flag
      • Content Security Policy
    • Subresource integrity
    • Sandboxing
  • HTTPS
    • HTTPS
    • Introduction to cryptography
    • PKI
    • Setting up HTTPS
    • References
  • HTTP Headers for security
    • HTTP Headers
  • Threat Modeling
    • Threat modeling introduction
    • Threat modeling basics
    • Inspiration for threats
  • Bringing it all together
    • A comprehensive overview of controls
Powered by GitBook
On this page

Was this helpful?

  1. Access Control: Advanced
  2. Authentication

Alternative authentication mechanisms

PreviousFederationNextFIDO2 and WebAuthn

Last updated 3 years ago

Was this helpful?

Even when federation and Single Sign On is used, a user still has to authenticate. Perhaps authentication is required only once a day, or once a week, but the user stil has to authenticate at some point in time.

SAML, OAuth2, or OIDC do not prescribe how users have to authenticate. The way a user must authenticate is configured in the authentication component. Many solutions exist that can be used for this authentication component: Auth0, IdentityServer, ADFS, AWS Cognito, Keycloak, Shibboleth, PING, IBM ISAM, etc. What many of these solutions have in common is their ability to support multiple authentication mechanisms.

The NIST 800-63B publication has created an exhaustive list of authentication types:

I'm sure you'll recognize some examples in this list.