Proving Who You Are and Recording What You Do 👤🧾📊
This article is part of the Security Concepts & Threats series, which explores the fundamentals of protecting data, people, and devices in a connected world. For the full overview of how modern risks, defenses, and access controls fit together, refer to the main article in this series. 👉 Security Concepts&Threats
Before a system can decide what you’re allowed to do, it first needs to know who you are—and once you’re inside, it should also keep track of what you do. This is where authentication and accounting come into play.
Think of a real-world example, like entering an office building. Authentication is when you show your ID badge or scan your fingerprint to prove you’re really you. Without that step, no doors should open. Once you’re inside, accounting is similar to security cameras or entry logs that record when you arrived, which rooms you accessed, and when you left. These records aren’t meant to spy on you—they exist to ensure safety, accountability, and proper usage.
In information security, authentication verifies identity, while accounting records actions and activities. Together, they help organizations protect systems, detect misuse, investigate issues, and maintain trust—without making access unnecessarily difficult for legitimate users.
In this article, we’ll break both concepts down in simple terms and see why they are essential building blocks of secure systems.
Authentication 🔐🪪
To implement security, it is imperative to understand who is accessing resources on a computer or a network. User authentication occurs when the system you are logging into verifies that you have the proper credentials to gain access. In simple terms, authentication asks, “Who are you?”
Most of the time, this process is as straightforward as entering a username and password. However, authentication can also be more advanced, involving additional checks such as a fingerprint scan, a one-time code sent to your phone, or even facial recognition.
The goal of authentication is to ensure that only legitimate users can access systems and resources—forming the very first line of defense in any security setup.
Real-world authentication example:
Think about using an ATM. Before you can withdraw money, the machine asks you to insert your bank card and enter your PIN. The ATM checks that the card belongs to a valid account and that the PIN matches. Only after this verification will you be able to access your money. In this scenario, the ATM is simply asking the same question that authentication always asks: “Who are you?”
Types of Authentication 🔑🧩
The simplest form of authentication is called Single-Factor Authentication (SFA). In a single-factor system, only one piece of information beyond a username is required to grant access. Most often, this is a password.
Single-factor authentication is very common because it is easy to use, but it is not the most secure method available. If a password is guessed, stolen, or reused across websites, an attacker may gain access without much difficulty.
To improve security, systems often require Multi-Factor Authentication (MFA). MFA (Multi-Factor Authentication), as the name implies, requires multiple factors to verify your identity before granting access.
Generally, in addition to a username, MFA requires two or more factors from the following four categories:
- Something you know
- Something you have
- Something you are
- Somewhere you are
A typical real-world example of MFA is using a bank ATM. To access your account, you need something you have (your bank card) and something you know (your PIN). Something you know is usually a password. If you forget your password, a website may ask you to answer security questions you selected during registration, such as:
- What is your mother’s maiden name?
- What was the name of your first school?
- What city were you born in?
Another example is a one-time password (OTP). These passwords are generated temporarily and give you a limited window—usually 30 minutes or less—to log in. OTPs are more secure than standard passwords because they expire quickly. They may be delivered via text message, email, or phone call.
Something you have can include items like a smart card or a security token. A smart card is a plastic card, similar to a credit card, that contains a microchip. A card reader scans the chip to verify access. Smart cards are often used as employee badges, allowing access to restricted building areas, secured elevators, or internal systems—and sometimes even function as payment cards.
Smart cards can also be used to allow or prevent computer access. For example, a PC may have a card reader where an employee must swipe their smart card, or the system may automatically read the card’s chip when it comes within close proximity.
Smart cards are often combined with a PIN or used as an add-on to a standard login system to provide an extra layer of security. In this setup, for someone to gain unauthorized access, they would need to:
- Know the user’s ID and password or PIN, and
- Physically steal the user’s smart card
This makes unauthorized access much more difficult than relying solely on a password.
A security token is another form of authentication. A hardware security token typically displays an access code that changes about every 30 seconds. When the token is issued, it is synchronized with your user account. Both the token and the authentication system know the algorithm that controls how and when the code changes.
When logging in, you must enter your username and password, along with the current code displayed on the token. Even if someone knows your password, they still cannot log in without the token.
Security tokens can also be software-based. Instead of carrying a physical device, a token may be:
- Embedded in a security file unique to your computer, or
- Generated by a software application on your computer or mobile device
For example, Ping Identity’s PingID works on computers and mobile devices and generates secure authentication codes, eliminating the need to carry an additional hardware token.
In some cases, a system may also require you to log in from a specific location. For example, users might be allowed to log in only when connected to an internal corporate network. This ensures that access is limited to trusted environments.
In other situations, you may be allowed to connect from your home office. In that case, the security system recognizes a range of approved IP addresses—based on the block of addresses assigned to your Internet Service Provider (ISP)—and allows access only from those locations.
Finally, a system may require something unique to you to authenticate. This type of authentication is typically handled using biometric devices, which verify identity by scanning physical characteristics. Common types of biometric authentication include:
- Fingerprint recognition
- Facial recognition
- Retina scanning
Law enforcement agencies have used fingerprint recognition for over 100 years, and no two fingerprints have ever been found to be identical—not even in genetically identical twins. This is because fingerprints develop in the womb and are not pre-programmed at conception.
Modern fingerprint scanners have replaced old ink-based methods. Today, technology is so affordable that it is built into many consumer-level laptops and computers. Some scanners use laser technology to detect the ridges of a fingerprint. In contrast, others use electrostatically sensitive pads that detect electrical currents created by tiny amounts of moisture in the skin.
Facial recognition software works with a camera to scan a person’s face during login. The scan is then compared with previously stored images of that user. Many modern laptops allow users to log into the operating system using facial recognition as an alternative to typing a password.
Retina scanning is similar to facial recognition but focuses specifically on the pattern of blood vessels in the retina. This pattern is considered just as unique as a fingerprint, making it another highly secure form of authentication.
Single Sign-On (SSO) 🔑➡️🖥️
One significant challenge large networks face is that users often need access to multiple systems and applications. Without a centralized approach, users would need to remember many different usernames and passwords, which is inconvenient and usually leads to poor security practices.
SSO (Single Sign-On) solves this problem by allowing users to log in once and access all the systems and applications they are authorized to use—without having to log in again. This approach is increasingly common in large corporate network environments.
SSO is both a blessing and a curse.
- It is a blessing because once users are authenticated, they can move between systems smoothly with less frustration and fewer interruptions.
- It is a curse because a single successful login gives access to many resources, removing additional security “checkpoints” that might otherwise exist between systems.
Important clarification:
SSO is not the opposite of MFA, even though they are often confused.
- MFA (Multi-Factor Authentication) refers to the number of factors a user must provide to prove their identity (for example, a password and a phone code).
- SSO, on the other hand, controls how often a user needs to authenticate. Once authentication is completed—whether it uses a single or multiple factors—SSO can be applied for the rest of the user’s session.
Real-World Analogy 🏢
Think of entering a large office building. At the main entrance, you show your ID badge and fingerprint (this is MFA). Once inside, you can walk into conference rooms, use the cafeteria, and enter approved work areas without having to show your ID again (this is SSO). You still proved who you were securely at the start—but you don’t have to repeat the process at every door.
Accounting 📒📊
After users have been authenticated (verified) and authorized (granted permissions), the next step is to track what they actually do with that access. This is where accounting comes in. The principle of accounting focuses on keeping records of:
- Who accessed the system
- What they accessed
- When they accessed it
- What actions they performed
Accounting is essential for security, troubleshooting, audits, and investigations.
The most common way to track user activity is through logs. Nearly all operating systems have built-in logging mechanisms that automatically record various events.
For example, Windows-based systems maintain logs that can be viewed using Event Viewer. You can open Event Viewer by typing “Event” into the Windows search bar and pressing Enter. Windows logs typically record:
- Application events – events related to software and applications
- Security events – login attempts, access failures, and policy changes
- System events – operating system and hardware-related activities
These logs provide administrators with a detailed history of system activity, helping them understand what happened if something goes wrong—or if suspicious behavior needs to be investigated.
Another activity frequently tracked is web browsing history. Most web browsers keep a record of visited websites, which helps users retrace their steps and allows organizations to review activity when needed.
Viewing Browsing History in Microsoft Edge 🌐📜
To view browsing history in Microsoft Edge:
- Open Microsoft Edge
- Click the three dots (⋯) in the top-right corner
- Select History
- Click History again to see the full list of visited sites
You can also press Ctrl + H at any time while in the browser to open the browsing history directly.
Within the history panel, you’ll notice an option to search through past visits and another option to clear browsing history. Clearing history removes stored records from the browser, but in managed or corporate environments, activity may still be logged elsewhere.
Location Tracking 📍🛰️
Accounting can also be accomplished through location tracking. Location tracking records where a user or device is located at a given time.
This is commonly done using GPS (Global Positioning System). By communicating with GPS satellites, a device’s latitude, longitude, and elevation can be determined—often within just a few meters of accuracy.
Mobile devices can also be tracked using their proximity to cellular towers. While this method is valid, it is typically less accurate, often within about 50 meters. Location-based accounting is widely used for:
- Security monitoring
- Device recovery
- Compliance and auditing
- Mobile and remote workforce management
Wrapping Up 🧭
Authentication and accounting work together to form the foundation of secure system access. Authentication ensures that only the right people get in, while accounting keeps a clear record of what happens after access is granted.
From passwords and smart cards to biometrics, single sign-on, logs, and location tracking, these mechanisms help balance security, usability, and accountability. They protect systems from misuse, support investigations when issues arise, and build trust in shared computing environments.
As systems grow larger and more connected, understanding how identity is verified and how activity is tracked becomes essential—not just for security professionals, but for anyone who uses modern technology.
In the following article, we’ll explore authorization and non-repudiation—how systems decide what an authenticated user is allowed to do, and how actions can be proven and cannot later be denied. These concepts complete the access control picture by focusing on permissions, responsibility, and accountability. 👉 Authorization & Nonrepudiation