Web authentication is ensuring users are who they say they are through a web application. Web authentication is needed in situations where virtual private networking is not available. This may occur if a user has to use a secondary system such as a customer’s computer or a computer kiosk provided at a hotel. Implementation of the web authentication mechanism is determined by the risk associated with what is being accessed.

A user ID and password is the basic form of authentication that you have seen multiple times in this chapter. High-risk applications should not use a user ID and password combination because it is not a strong form of authentication. For example, an online banking tool should provide stronger authentication for access into a user’s account because a password can easily be compromised. This authentication can include multifactor authentication as well as knowledge-based authentication.

One-time password authentication is a form of two-factor authentication. It is based on something you know such as a PIN and something you have such as an authenticator. Combining the PIN and information that is displayed on the authenticator provides a one-time password. This one-time password is unique to the user, and it is difficult for an attacker to compromise this information.

Digital certificates are electronic documents assigned to a user or system. A digital certificate contains information about the user or system. A third party, known as a certificate authority, creates the digital certificate. A digital certificate is unique to the user or system. When a user makes a request to the web application and verification of his or her identity is required, the user’s application sends a digital certificate to the web application. The web application verifies the digital certificate with the certificate authority. The user accessing the website can also verify the identity of the site via the web server’s digital certificate.