Anauthentication protocol is a type of computercommunications protocol orcryptographic protocol specifically designed for transfer ofauthentication data between two entities. It allows the receiving entity to authenticate the connecting entity (e.g. Client connecting to a Server) as well as authenticate itself to the connecting entity (Server to a client) by declaring the type of information needed for authentication as well as syntax.^[1] It is the most important layer of protection needed for secure communication within computer networks.

With the increasing amount of trustworthy information being accessible over the network, the need for keeping unauthorized persons from access to this data emerged. Stealing someone's identity is easy in the computing world - special verification methods had to be invented to find out whether the person/computer requesting data is really who he says he is.^[2] The task of the authentication protocol is to specify the exact series of steps needed for execution of the authentication. It has to comply with the main protocol principles:

1. A Protocol has to involve two or more parties and everyone involved in the protocol must know the protocol in advance.
2. All the included parties have to follow the protocol.
3. A protocol has to be unambiguous - each step must be defined precisely.
4. A protocol must be complete - must include a specified action for every possible situation.

An illustration of password-based authentication using simple authentication protocol:

Alice (an entity wishing to be verified) and Bob (an entity verifying Alice's identity) are both aware of the protocol they agreed on using. Bob has Alice's password stored in a database for comparison.

1. Alice sends Bob her password in a packet complying with the protocol rules.
2. Bob checks the received password against the one stored in his database. Then he sends a packet saying "Authentication successful" or "Authentication failed" based on the result.^[3]

This is an example of a very basic authentication protocol vulnerable to many threats such aseavesdropping,replay attack,man-in-the-middle attacks,dictionary attacks orbrute-force attacks. Most authentication protocols are more complicated in order to be resilient against these attacks.^[4]

Protocols are used mainly byPoint-to-Point Protocol (PPP) servers to validate the identity of remote clients before granting them access to server data. Most of them use a password as the cornerstone of the authentication. In most cases, the password has to be shared between the communicating entities in advance.^[5]

Password Authentication Protocol is one of the oldest authentication protocols. Authentication is initialized by the client sending a packet withcredentials (username and password) at the beginning of the connection, with the client repeating the authentication request until acknowledgement is received.^[6] It is highly insecure because credentials are sent "in the clear" and repeatedly, making it vulnerable even to the most simple attacks likeeavesdropping andman-in-the-middle based attacks. Although widely supported, it is specified that if an implementation offers a stronger authentication method, that methodmust be offered before PAP. Mixed authentication (e.g. the same client alternately using both PAP and CHAP) is also not expected, as the CHAP authentication would be compromised by PAP sending the password in plain-text.

The authentication process in this protocol is always initiated by the server/host and can be performed anytime during the session, even repeatedly. The server sends a random string (usually 128B long). The client uses the password and the string received as input to a hash function and then sends the result together with username in plain text. The server uses the username to apply the same function and compares the calculated and received hash. An authentication is successful when the calculated and received hashes match.

EAP was originally developed for PPP(Point-to-Point Protocol) but today is widely used inIEEE 802.3,IEEE 802.11(WiFi) orIEEE 802.16 as a part ofIEEE 802.1x authentication framework. The latest version is standardized in RFC 5247. The advantage of EAP is that it is only a general authentication framework for client-server authentication - the specific way of authentication is defined in its many versions called EAP-methods. More than 40 EAP-methods exist, the most common are:

• EAP-MD5
• EAP-TLS
• EAP-TTLS
• EAP-FAST
• EAP-PEAP

Complex protocols used in larger networks for verifying the user (Authentication), controlling access to server data (Authorization) and monitoring network resources and information needed for billing of services (Accounting).

The oldest AAA protocol using IP based authentication without any encryption (usernames and passwords were transported as plain text). Later version XTACACS (Extended TACACS) added authorization and accounting. Both of these protocols were later replaced by TACACS+. TACACS+ separates the AAA components thus they can be segregated and handled on separate servers (It can even use another protocol for e.g. Authorization). It usesTCP (Transmission Control Protocol) for transport and encrypts the whole packet. TACACS+ is Cisco proprietary.

Remote Authentication Dial-In User Service (RADIUS) is a fullAAA protocol commonly used byISPs. Credentials are mostly username-password combination based, and it usesNAS andUDP protocol for transport.^[7]

Diameter (protocol) evolved from RADIUS and involves many improvements such as usage of more reliable TCP orSCTP transport protocol and higher security thanks toTLS.^[8]

Kerberos is a centralized network authentication system developed atMIT and available as a free implementation from MIT but also in many commercial products. It is the default authentication method inWindows 2000 and later. The authentication process itself is much more complicated than in the previous protocols - Kerberos usessymmetric key cryptography, requires atrusted third party and can usepublic-key cryptography during certain phases of authentication if need be.^[9][10][11]

Recent research in authentication protocols highlights advancements aimed at securing resource-constrained environments such as the Industrial Internet of Things (IoT). These modern protocols employ advanced cryptographic techniques, including Elliptic Curve Cryptography (ECC), to enable secure mutual authentication and session key agreement while minimizing computational and energy overhead. Privacy-preserving mechanisms have also been integrated with biometric authentication to enhance security without compromising user confidentiality. Further emphasis has been placed on resistance to side-channel and replay attacks, alongside the achievement of forward and backward secrecy to protect session keys in dynamic network scenarios. These emerging technologies mark significant progress in making authentication more efficient and secure across evolving digital landscapes.^[12]

• AKA
• Basic access authentication
• CAVE-based authentication
• CRAM-MD5
• Digest
• Host Identity Protocol (HIP)
• LAN Manager
• NTLM, also known as NT LAN Manager
• OpenID protocol
• Password-authenticated key agreement protocols
• Protocol for Carrying Authentication for Network Access (PANA)
• Secure Remote Password protocol (SRP)
• RFID-Authentication Protocols
• Woo Lam 92 (protocol)
• SAML

• Authentication protocols
• Computer access control protocols

• Articles with short description
• Short description is different from Wikidata