Mutual Authentication
What is Mutual Authentication?
Mutual AuthenticationAn authentication exchange in which both communicating parties — client and server, or two services — cryptographically prove their identities to each other before exchanging data.
Mutual authentication, sometimes called two-way authentication, requires both sides of a connection to verify the other's identity, not just the server proving itself to the client. The dominant implementation today is mutual TLS (mTLS) defined in RFC 8446 for TLS 1.3, where each side presents an X.509 certificate validated against a private CA. Other examples include Kerberos AP-REQ / AP-REP, SSH host plus key auth, IPsec IKEv2 with certificate authentication, and FIDO2/WebAuthn ceremonies that include attestation. Mutual authentication is mandatory in service-mesh deployments (Istio, Linkerd, Consul) and in zero-trust architectures such as Google BeyondCorp, where every workload-to-workload call is authenticated with short-lived SPIFFE identities. It mitigates impersonation, man-in-the-middle and rogue-service attacks.
● Examples
- 01
Istio service mesh enforcing mTLS between every pair of microservices in a Kubernetes cluster.
- 02
Banking APIs requiring client certificates issued by the bank's private CA in addition to OAuth tokens.
● Frequently asked questions
What is Mutual Authentication?
An authentication exchange in which both communicating parties — client and server, or two services — cryptographically prove their identities to each other before exchanging data. It belongs to the Identity & Access category of cybersecurity.
What does Mutual Authentication mean?
An authentication exchange in which both communicating parties — client and server, or two services — cryptographically prove their identities to each other before exchanging data.
How does Mutual Authentication work?
Mutual authentication, sometimes called two-way authentication, requires both sides of a connection to verify the other's identity, not just the server proving itself to the client. The dominant implementation today is mutual TLS (mTLS) defined in RFC 8446 for TLS 1.3, where each side presents an X.509 certificate validated against a private CA. Other examples include Kerberos AP-REQ / AP-REP, SSH host plus key auth, IPsec IKEv2 with certificate authentication, and FIDO2/WebAuthn ceremonies that include attestation. Mutual authentication is mandatory in service-mesh deployments (Istio, Linkerd, Consul) and in zero-trust architectures such as Google BeyondCorp, where every workload-to-workload call is authenticated with short-lived SPIFFE identities. It mitigates impersonation, man-in-the-middle and rogue-service attacks.
How do you defend against Mutual Authentication?
Defences for Mutual Authentication typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Mutual Authentication?
Common alternative names include: Two-way authentication, Mutual TLS, mTLS.
● Related terms
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- network-security№ 157
Certificate Pinning
A technique in which an application hard-codes an expected certificate or public key and refuses TLS connections that do not match, defeating rogue or compromised CAs.
- network-security№ 878
Public Key Infrastructure (PKI)
The combined system of policies, software, hardware and trusted authorities used to issue, distribute, validate and revoke digital certificates that bind identities to public keys.
- network-security№ 156
Certificate Authority (CA)
A trusted entity that issues and signs digital certificates, binding cryptographic public keys to verified identities such as domain names or organisations.
- identity-access№ 584
Kerberos
A ticket-based network authentication protocol that uses symmetric cryptography and a trusted Key Distribution Center to enable secure single sign-on across services.
- identity-access№ 076
Authentication
The process of verifying that an entity — user, device or service — really is who or what it claims to be before granting access.