Category:Web Application Authentication Schemes

Overview
In authentication, one entity proves it is the one which it claims to be by demonstrating the knowledge of an agreed secret. It is different from identification in which an entity is identified but not verified. The entity in this context can be a person, a system or a service call.

The secret can be one or more of the following.
 * some secret that you know(e.g. password)
 * something that only you have(e.g. a smart card)
 * something you are(e.g. fingerprint)
 * somewhere you are(particular IP address)

Each of them has its strengths and weaknesses. So there is a question of what to choose. We have more questions.
 * How to verify if an entity is already authenticated or not?
 * How to inform an entity that it needs to authenticate first?
 * How are credentials transferred from one to other?
 * How are credentials verified?
 * How to indicate successful authentication?
 * How can we avoid replay attacks?
 * How to ensure that we don't expose the plain credentials?
 * How do we achieve mutual authentication?
 * Are we going to ask the user to have different credentials to each system in the enterprise?
 * What if we need to scale up?

An authentication scheme addresses such questions. Time to time authentication schemes were exploited, and new schemes evolved to address the security concerns. Some new schemes appeared to address the business requirements like scalability and single sign-on. Now, there are a lot of them. Below you can find details about them. Some schemes are based on a certain framework. So we first describe the framework and then the schemes.