Authentication Methods for IAM

Home / Policy / Authentication Methods for IAM

74% of security professionals say their enterprise suffered a data breach due to a compromised privileged account. Identify and Access Management (IAM) focuses on ensuring that resources are only accessed by those who have the proper permissions and it does this through three core principles Authentication, Authorization and Accountability (AAA). Authentication is the process of a user proving that they are who they claim to be. 

Common examples of this include providing a Password, PIN or Piece of ID that only the user should know or have. Having a secure process for identifying people is critically important to avoid impersonation and prevent unauthorized access to company assets. However, there are multiple methods for authenticating users, each of them have distinct advantages such as being more secure, more or less expensive, consistency and ease of use. 

Here is a break down of the most popular authentication methods:

Passwords and PINS: Everyone that uses a computer device has encountered these two methods. It’s very simple, cheap and easy to implement because it doesn’t require any specialized hardware or software. All you need is for a user to pick a password and enter that password/pin every time they need to login to a device. However, this is often one of the most insecure types of authentication, 81% of data breaches are due to poor passwords.

Temporary PINS or Hard Tokens: If you have ever used google authenticator or RSA token, you are familiar with this concept. You use an application or hardware token device that generates a new code every minute that can be used to login. Usually this is combined with a password to create two factor authentication.

Facial Recognition: This has become much more popular, especially after its adoption by Apple’s Iphone. This uses the unique features of a user’s face to uniquely identify that user. It’s much more difficult to impersonate than a password but it’s harder to implement because it needs special software/hardware.

Iris Scan: The iris is a thin circular structure located towards the front of the eye and controls how much light is allowed to reach the retina. An iris scan uses a camera to perform pattern matching techniques on an individual’s eye to find unique patterns. Anytime the user wants to be authenticated, the camera will compare the patterns stored in the database to the patterns of the user trying to be authenticated and if it matches, the user will be authenticated. An iris scan has an almost 0% false negative rate.

Retinal Scan: The retina is a thin tissue found at the back of the human eye. A retinal scan is performed by casting a beam of light on the human eye and mapping the unique patterns of blood vessels within the retina. Retina scans have a very low false negative rate but it’s accuracy can be affected by disease. Additionally, retina scans must be performed at a very close range and are considered invasive. They also tend to be more expensive than iris scans to implement.

Voice Matching: You can also use voice recognition as a means to identify a person. Voice recognition software can measure unique biological factors that combine to create each person’s unique voice. This is not commonly used but is still an option in certain situations, particular web apps or mobile phones. A common example of voice recognition is Siri in Apple’s Iphone.


Authentication is one of the first steps in good identity and access management. It’s important to pick a method that fits your budget, is secure, easy to install and won’t be too invasive to people’s privacy. The best practice is to combine one or more of these methods, creating multi factor authentication. This way if one authentication method fails, it doesn’t result in a data breach.