Authenticate

Verify that a user or organisation is who they claim to be, using trusted credentials, before securely granting access to a service.

Use authentication to confirm the user's identity to securely protect services, data, and system integrity.

Use this pattern when

• access to a service must be limited to known users or organisations.

• service handles personal, sensitive, or protected information.

• actions or content must be linked to a specific user account.

• legal, policy, or security requirements require identity verification before access.

When not to use this pattern

Avoid authentication where it is not strictly necessary. User accounts add effort, cost, and risk to a service. Consider alternatives for low-risk services, like:

• one-time access links

• token-based access via email or SMS

• trusted third-party authentication

• guest or anonymous access

• matching

Steps

1. Present sign-in options

Users are shown a page to sign in or create an account.

Provide appropriate sign-in options based on service, context and risk level. Options may include:

• entering direct credentials such as username and password

• redirecting users to an external identity provider.

2. Verify credentials

User submits credentials.

Verify credentials using the service’s authentication system or a trusted external provider. Confirm that credentials are valid, current, and authorised for this service. Do not expose any service data until verification succeeds.

3. Return outcome

After verification, the service should return a clear outcome. Use the outcome step pattern.

If verification succeeds, allow the user to continue without interruption.

If verification fails, explain to the user in a clear and non-technical manner and guide them to next steps, without exposing sensitive security details.

Support credential recovery (if needed)

Provide a recovery path when authentication fails due to forgotten, expired, or invalid credentials.

Support credential reset or referral to appropriate support channels.

Ensure recovery is easy to follow while maintaining security controls.

Considerations

User scenarios

• Support both individual users and organisations where relevant.

• Support returning users, first-time users, and users recovering access.

• Account for assisted and offline channels that rely on the same authentication rules.

Technical specifications

• Authentication mechanisms must use trusted and secure credential stores.

• Integrations with external identity providers must use secure, standard protocols.

• Authentication outcomes must be logged for audit and security purposes.

• Session handling must prevent unauthorised reuse or access.