Modern Authentication is an umbrella term originally defined by Microsoft, but many other companies also use it to describe a set of the following:

• Authentication methods (authentication = how something/somebody logs in to a system)
• Authorization methods (authorization = mechanisms that make sure you do not have full access to something by default)
• Conditional access policies (policies which define the conditions under which certain additional steps have to be taken in order to log into a system)

Authorization and authentication methods are standardized in the digital world. The industry standard for authorization is OAuth2. For authentication there is no industry standard, but the standard which is most widely used is OpenID Connect. Although they serve different purposes, these standards are very much related from a technology standpoint. The OpenID Connect protocol suite extends the OAuth protocol and they are based on the same technologies. OAuth was never designed to authenticate users or persons, but only services. That is why OpenID Connect was created.

How would Modern Authentication look like in our airport analogy? With Modern Authentication, the procedure seems quite familiar: You fly abroad, leave the plane and go to the security officer at the border control. The officer asks to see your passport on which he can find all the important information needed to identify who you are and where you are from. This information is protected by anti-forgery mechanisms. In the digital word, the passport is what we call an ID token. This token contains important information: who you are, who created the token, how long it is valid, etc.
Where Does Multi-Factor Authentication (MFA) Fit Into the Mold?

Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) are a part of the authentication process. The process is as follows: You as a user connect to your identity provider who needs to validate that it is really you trying to connect. Depending on the conditional access policies which are defined by the administrator, your identity provider might ask you for further information. If he believes that just entering your credentials is not enough to authenticate you, for example when you are connecting from an unknown network, he may ask you for additional information, for instance a code which is sent to your mobile phone. Microsoft has implemented this in a very dynamic way. Their systems continuously learn and decide what is a secure system and what is not.