What is the difference between certificate and basic authentication?

Is certificate based authentication considered MFA?

Most MFA schemes rely on some form of authentication to prove the user's identity.

For example, the user may be required to enter their username and password before gaining access to their account. This type of authentication is called 'password based' MFAuthentication can also be done using a 'token', such as an NFC-enabled phone. This type of authentication is called 'token based' MFA certificate based authentication process works in the same way as a token based authentication process, except that the authentication certificate is used instead of a physical token. Why use certificate based authentication? In some cases, it can be more convenient to use an authentication certificate than a physical token. A physical token might have to be shared or stored somewhere. An authentication certificate can simply be stored in a user's e-mail client or smart phone, so it's easier to use and carry around. Can I use a smart card for authentication? No, a smart card only authenticates your personal information. If a smart card is used for authentication, your smart card's PIN number must be stored in the device or the system you are authenticating. What is the difference between an authentication certificate and a digital certificate? An authentication certificate is an electronic document that proves who you are. It's like a digital certificate. The big difference is that the authentication certificate has been created by a certificate authority, like VeriSign or Thawte. A digital certificate is self-signed. It is created by the owner of the certificate, and there's no certificate authority behind it.

What is a multi-factor authentication certificate? A multi-factor authentication certificate is an authentication certificate that contains two or more authentication factors. The most common multi-factor authentication certificates are: Smart card/token-based MFA certificates: The token is used to create a unique token number that is printed onto the authentication certificate. PIN-based MFA certificates: The PIN is printed onto the authentication certificate. Email-based MFA certificates: The email address of the user is stored on the authentication certificate. So if I want to use a multi-factor authentication certificate, do I need to get two different authentication certificates?

What is the difference between certificate and basic authentication?

I understand that if we are trying to secure a website with HTTPS, then basic authentication must be used.

My confusion is, when the user enters credentials like username and password while accessing our website. How does the website determine whether it is certificate or basic authentication. Is there any specific HTTP header for that?
You can distinguish Basic Auth, NTLM or TLS by looking at the authentication method HTTP Header. Here's an example using basic authentication: Authorization: Basic aa1234ab1234. If it was something else you could do a request similar to: GET /somepage HTTP/1.1 Authorization: %(username)s:%(password)s. The %(username)s:%(password)s would be replaced with whatever you were using for basic auth. You should never send user's credentials over the wire. Instead, use proper authentication mechanisms.

It's possible to fake Basic Authentication, even with SSL, but if the server doesn't look for the Basic Auth value in the request header (say, on an insecure connection) you have no way of knowing that it's a successful Basic Authentication unless you can see the content of the server's response.

What is certificate-based authentication?

Certificate-based authentication is the most common form of identity assurance because it makes use of encryption technology, which ensures confidentiality and authentication.

Identity assurance can happen using several methods including user authentication or password authentication.

Certificate-based authentication is a method used to verify that the entity requesting access has credentials that grant them access to the resource. A certificate-based authentication flow typically follows the steps outlined in Figure 4-1.

In the figure, we start with the client's computer requesting service from a server; the client's operating system generates a set of information called a challenge that tells the server how to validate the credentials of the entity requesting access. The entity's credentials may include a username and password. In this example, the server has a public key stored in its database or on the same server that will be used to encrypt the credentials sent back from the client's computer. The password is then encrypted with the server's public key using a symmetric encryption algorithm, known as a Message Authentication Code.

When a client requests access to a resource, the server provides the client with its own public key that the client uses to digitally sign or encrypt the identity information provided by the client. The client provides a matching, signed or encrypted copy of this identity information with a digital signature or encryption of this information. The digital signature or encryption process performed by the server and client forms a digital "signature" or "encryption" value which is then used by the server to verify the identities of the client and to create the appropriate level of permission given to the entity. Finally, upon successful verification of the client's identity, the server grants permission and provides a token which identifies the user as permitted to access the resource. It is important to note that each time an entity wants to access the server, the entity must send or receive the initial token provided by the server. This allows the server to track the entity's activity and block those who do not generate new access tokens.

Figure 4-1: Certificate-based authentication flowchart. What are the benefits of certificate-based authentication? There are many benefits to using this method for identity assurance. The benefits listed in Figure 4-2 include: Easy setup: Certificate-based authentication requires little setup. A client typically downloads a small certificate and the associated encryption application on a computer used to request the service from a server.

What is certificate based authentication in Salesforce?

With salesforce it is very important that each user gets assigned a certificate for security purpose.

Certificate based authentication is one of the methods to authenticate the user in Salesforce. The certificate issued through enrollment portal and you can verify if a user has already assigned the certificates to him. This is also known as self signup certificate. It enables user to get access to salesforce if they did not login with their login credentials. You can also assign different level of permissions with the help of certificates.

Salesforce supports 2 types of certificate authentication: Manual Enrollment(self signup). Automatic Enrollment (eID card). To make users login with the manual enrollment, we have to assign their certificates manually, otherwise we can assign the certificate using self-service enrollments feature provided in the Autonomous Security Model. If your target is only for self-signups, then I would suggest going with "Manual Enrollment" option. If you require automated signups to multiple users, you need to opt for Autonomous Security Model. In the case, users will be allowed to autoenroll after completing few security questions (eg date of birth, phone number etc.) and providing personal details.

Note: All the certificates that you create through these options will be linked to Account (User/Profile) owners and cannot be used on other related objects (like opportunities, cases, invoices etc. For more details visit this link.

Salesforce Certificate Authentication Features. Authentication features mentioned above are the mandatory features and provide security to the users. However we still need some additional requirements for Salesforce as well.

Role-Based Access Control (RBAC). Role based access control (RBAC) is required for any organization where the employees are grouped based on their role in the organization. Access to Salesforce is available only if your users are part of the group that has been provided RBAC access to the specific objects in salesforce. For further understanding about Role-based access control, click here.

Organization Wide Deletion Protection. Deletion Protection should be configured for each object in salesforce. This means, there should not be an option available to delete all records or specific data by removing the ownership of specific record.