Introduction

Before an operating system grants access to files, memory, devices, or applications, it must first determine who is requesting access. The system needs a reliable mechanism to verify identities so that unauthorized users cannot gain control over system resources.

This verification process is called authentication.

Authentication is one of the most critical security mechanisms in modern operating systems because it acts as the first line of defense against unauthorized access. Every secure system depends on authentication before enforcing permissions or access control policies.

Without authentication:

  • Any user could impersonate another user

  • Access control becomes meaningless

  • Sensitive data becomes vulnerable

  • System integrity collapses

Authentication is therefore foundational to operating system security.

What is Authentication?

Authentication is the process of verifying the identity of a user, process, or system entity before granting access to resources.

The operating system checks:

  • Whether the claimed identity is genuine

  • Whether credentials are valid

Core Idea

Authentication answers: “Who are you?”

This is different from authorization, which answers:

“What are you allowed to do?”

Important Insight

Authentication verifies identity before access control policies are enforced

Authentication vs Authorization

Students commonly confuse these concepts.

Authentication

Identity verification.

Example:

  • Username + password validation

Authorization

Permission enforcement.

Example:

  • Determining whether user can access a file

Sequence

Authentication → Authorization → Resource Access

First identity is verified.
Then permissions are checked.

Why Authentication is Necessary

Without authentication:

  • Any user could access administrator functions

  • Attackers could impersonate legitimate users

  • Data confidentiality would disappear

Authentication ensures:

  • Accountability

  • Controlled access

  • Secure user identification

Factors of Authentication

Authentication methods are categorized into factors.

1. Something You Know

Knowledge-based authentication.

Examples:

  • Passwords

  • PINs

  • Security questions

2. Something You Have

Possession-based authentication.

Examples:

  • Smart cards

  • OTP devices

  • Security tokens

  • Mobile phones

3. Something You Are

Biometric authentication.

Examples:

  • Fingerprints

  • Face recognition

  • Iris scans

  • Voice recognition

4. Something You Do

Behavioral authentication.

Examples:

  • Typing patterns

  • Gesture recognition

Password-Based Authentication

Passwords are the most widely used authentication mechanism.

Authentication Process

Step 1: User Enters Credentials

Example:

Username + Password

Step 2: OS Retrieves Stored Credentials

Stored securely in authentication database.

Step 3: Password Verification

OS compares entered password with stored version.

Step 4: Access Granted or Denied

Important Insight

Modern systems do not store plaintext passwords

Password Hashing

Operating systems store:

  • Hashes of passwords
    not actual passwords.

Hash Function

A one-way mathematical transformation.

Example:

password → hash value

Even if database stolen:

  • Original password difficult to recover

Salting

Attackers may use:

  • Rainbow tables

  • Precomputed hashes

To prevent this:

Salt added before hashing

Example:

salt + password → hash

This ensures:

  • Same password generates different hashes

Important Insight

Salting protects against precomputed password attacks

Password Attacks

1. Brute Force Attack

Attacker tries all combinations.

2. Dictionary Attack

Attacker tries common passwords.

3. Phishing

User tricked into revealing credentials.

4. Credential Stuffing

Reuse of leaked passwords.

Strong Password Policies

Operating systems enforce:

  • Minimum length

  • Complexity rules

  • Expiration policies

  • Password history

Multi-Factor Authentication (MFA)

MFA combines multiple authentication factors.

Example:

  • Password + OTP

  • Password + fingerprint

Why MFA Matters

Even if password stolen:

  • Attacker still lacks second factor

Important Insight

MFA significantly increases authentication security

One-Time Passwords (OTP)

Temporary passwords valid for short duration.

Types:

  • Time-based OTP

  • SMS OTP

  • App-generated OTP

Advantages:

  • Prevent replay attacks

Biometric Authentication

Biometrics verify physical characteristics.

Examples:

  • Fingerprint scanners

  • Face recognition

  • Iris scanning

Advantages

  • Convenient

  • Difficult to forget

Problems

  • Privacy concerns

  • False positives

  • Irreplaceability

If password leaked:

  • Change password

If fingerprint leaked:

  • Cannot replace fingerprint

False Acceptance and False Rejection

Biometric systems may produce errors.

False Acceptance Rate (FAR)

Unauthorized user accepted.

False Rejection Rate (FRR)

Legitimate user rejected.

Balancing these is critical.

Authentication Protocols

Modern systems use authentication protocols for secure verification.

Examples:

  • Kerberos

  • OAuth

  • LDAP

  • Active Directory

These protocols support:

  • Network authentication

  • Single sign-on

  • Distributed systems

Kerberos Authentication

Very important protocol in operating systems and networks.

Uses:

  • Tickets

  • Symmetric cryptography

  • Trusted third party

Advantages:

  • Prevents password transmission over network

Session Authentication

After successful login:

  • OS creates authenticated session

User does not repeatedly authenticate for every action.

Session maintained using:

  • Session IDs

  • Security tokens

Authentication in UNIX/Linux

Linux authentication commonly uses:

  • /etc/passwd

  • /etc/shadow

Passwords stored as hashes.

Important Insight

Modern UNIX systems separate password hashes from public account information

Authentication in Windows

Windows uses:

  • NTLM

  • Kerberos

  • Active Directory

Enterprise environments heavily depend on centralized authentication.

Secure Login Process

Typical login sequence:

Step 1

User enters credentials.

Step 2

OS validates credentials.

Step 3

Authentication token created.

Step 4

User session established.

Step 5

Access control policies enforced.

Authentication Threats

1. Password Theft

Credentials stolen.

2. Replay Attacks

Captured credentials reused.

3. Keylogging

Malware records keystrokes.

4. Social Engineering

Users manipulated into revealing credentials.

5. Session Hijacking

Attacker steals active session token.

Modern Authentication Trends

Modern systems increasingly use:

  • Passwordless authentication

  • Biometrics

  • Hardware security keys

  • Adaptive authentication

Zero Trust Authentication

Modern security philosophy:

Never trust automatically; always verify continuously