Authentication keeps invalid users out of databases, networks, and other resources.
Authentication Protocols are well defined, industry standard ways to validate the identity of remote clients/users (Authentication) before granting them access to server data (Authorization) and in monitoring network resources and information needed for billing of services (Accounting).
Different Authentication Protocols used to validate users are PAP, CHAP, Oauth 2, TACACS+, RADIUS, Kerberos, SAML, LDAP/Active Directory etc. These can be used simultaneously for different purpose.
Password authentication protocol (PAP):
It is one of the oldest authentication protocols deprecated now, yet used sometimes.
In PAP, system compares user credentials (username and password) to a database to validate. Since there is no encryption, it is least secure.
Challenge-Handshake Authentication Protocol (CHAP):
CHAP periodically reauthenticates users identity using a 3-way handshake. Each challenge is different from last version and verification is done even within the same session.
Extensible authentication protocol (EAP):
Wireless networks and point-to-point connections uses EAP.
Kerberos uses symmetric keys between client-server (secret-key cryptography), pulled from a centralized key distribution center known as Key Distribution Center (KDC).
There are few drawbacks viz, the process is time-sensitive, so devices using the Kerberos must have relatively well-synced clocks. Also, it not advised to use this protocol for networks heavy on virtual hosting because every host requires its own set of Kerberos keys.
Further, in 2020, Kerberos stopped working after a system update.
Lightweight Directory Access Protocol (LDAP):
The Lightweight Directory Access Protocol is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
Organizations using LDAP stores information like user credentials (usernames, passwords), email addresses, printer connections and other static data within directories.
LDAP works by binding an LDAP user to an LDAP server.
The client sends an operation request that asks for a particular set of information, such as user login credentials or other organizational data.
The LDAP server then processes the query based on its internal language, communicates with directory services if needed, and responds.
When the client receives the response, it unbinds from the server and processes the data accordingly.
LDAP is the underlying protocol for directory services and is leveraged in Directory-as-a-Service (DaaS), a cloud-based software-as-a-service (SaaS) user directory.
OAuth 2 is a way for users to allow websites and mobile apps to access their credentials without giving them the passwords, implemented by various sites viz Google, Facebook, Twitter etc. OAuth 2 works with HTTP. It provides access tokens to be applied to a third-party with the permission of the resource owner.
One of the possible security risk with OAuth 2 is that it uses one account for multiple applications, so, if the main account is ever compromised, users risk compromising many more instances. Such an issue was faced by GitHub in 2020.
Remote authentication dial-in user service (RADIUS): RADIUS system verifies credentials (username-password) provided by client by comparing it to data in a database. RADIUS provides centralized authentication, authorization, and accounting (AAA or Triple A) management.
Authentication data flows from NAS (Network Access Server) to RADIUS server in Access-Request packets.
Authorization data flows from the RADIUS server to NAS in Access-Accept, Access-Reject, CoA-Request, and Disconnect-Request packets.
Accounting data flows from the NAS to the RADIUS server in Accounting-Requests.
Diameter is derived from RADIUS and provides a framework for authentication and accounting messages.
It is a Peer-to-Peer (P2P) protocol. Peers can be statically configured or dynamically discovered.
Extensibility is an important trait of the Diameter protocol. It supports a modular architecture with the base protocol and application-specific extensions.
There are many other efficient and widely used authentication protocols like SAML (XML based protocol), TACACS (IP-based authentication), it's enhanced versions and various others.