by John Bandler

Here is a quick definition of the term and explanation of cybersecurity best practices.

Authentication definition in sum

Authentication is the process an information system uses to identify the user.

The information system could be a computer device, an email provider, a network, application, etc. The information system needs to decide whether to let the user in or not. The system needs to decide if that person seeking access is who they say they are.

Put another way, a person (or electronic application) knocks on the electronic door. At that electronic door, the process of authentication determines whether they will be allowed in or not. If the person (or system) is authenticated, they are allowed in.

Other uses of the term "authentication"

Feel free to skip this since it is an aside:  Once upon a time I was a trial lawyer (litigator) and I needed to prepare and present evidence in court to a jury to prove the case.

In a trial, the judge is the gatekeeper of evidence, making sure that the jury only sees evidence that has already met a minimum threshold. That minimum threshold the judge evaluates includes authenticity, relevance, and lack of undue prejudice. Thus, the legal system includes an "authentication" process too!  I needed to present some proof that the evidence is what it appears to be, before I could get the judge's approval and the jury could see it.

The three factors of authentication

There are three factors of authentication:

  • Something you know (like a password)
  • Something you have (like a smart phone, key fob, token, smart card), and
  • Something you are (like your fingerprint, facial features or retinal scan).

An authentication system that only requires a password is single factor. This has inherent weaknesses for accounts accessible through the internet, because passwords can be guessed or stolen.

An authentication system that requires more than one factor of authentication might be called two-factor authentication (2FA) or any of the other similar terms, as I cover in another article.

Authentication best practices in sum

This totally depends on the circumstances, the information system, is it a laptop computer, an email account, etc.

But first let's evaluate

  • The weaknesses of passwords, their ability to be guessed or stolen
  • Whether the system being authenticated is
    • A computer device that requires someone to physically possess it
    • An online account that anyone, anywhere in the galaxy could access, so long as they have Internet
  • Risks
  • Email security
  • Two factor authentication

Related terms

This is a key term definition article

I have decided to experiment by creating short webpages to provide definitions and best practices for certain key terms. This is one of those webpages.

These are terms that I have explained or defined dozens or even hundreds of times in my life, either through conversation or in writing. After explaining the term I try to explain best practices relating to those terms. These are terms or guidance that may appear in my cybersecurity policies.


This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.

This is to inform. You need to assess your own risks and decide. You assume all risk for cybersecurity decisions you make. This is a work in progress. This is a limited amount of words so cannot exhaustively cover all areas.

I may explain nuances further in other articles, or one of my books. Other experts may have differing opinions.

Ask ten different IT or IS experts, you will get ten or more different definitions for a term, and as many different recommendations for cybersecurity posture. Cybersecurity is about decisions and risk management.


If you are a cybercrime victim, see the resources here, and contact me if you need professional assistance.

If your organization needs help with improving its cybersecurity and identity theft protection, feel free to contact me.

Additional reading

This article is hosted at, copyright John Bandler, all rights reserved.

This article is also available on at NOT YET (though not kept as up to date).

Originally posted 4/21/2023, updated 4/21/2023.