The definition of authentication can be explained as identifying a user requesting access to a particular service. Until recently, simple credentials in the form of a username and password would suffice, but with today's security standards, we need something much more substantial.
Different business requirements demand different security levels, achieved by carefully choosing or combining various authentication methods available. When it comes to user experience, it plays a significant role in user satisfaction during online payment processing.
Therefore, the authentication method applied must provide convenience and security at the same time. If the authentication process does not offer comfort and runs smoothly, it causes high cart abandonment rates. On the other hand, if the authentication does not provide appropriate security measures, the threat of fraudulent activities involving payment cards rises and results in chargeback costs.
Current technology is constantly developing and also increases the risk of being hacked. In one of our previous articles, we already talked about hackers and the ways to protect your data.
Nevertheless, the question remains relevant. In this article, we’ll talk about the ways of current authentication and try to understand what way is the most reliable. Good security can be complex in theory, but in practice, human behaviour makes it even trickier.
Security best practices are hard enough to implement and almost impossible to enforce. However, you don’t have to go out of your way to get used to sophisticated new security procedures, but basic knowledge is essential for secure authentication.
Which Authentication Method Is Most Secure?
What is authentication? In the most basic terms, it is verifying that you are who you say you are. Although this sounds simple, it is a problem that has been difficult to solve in the digital world. The measure of what makes an authentication solution effective is based on two components: security and usability.
Authentication Security And Usability
Security is the most obvious and often the most discussed. This boils down to how effective the authentication method is at preventing identity theft or unauthorised access. However, a narrow focus on security can ignore the practicality of using an authentication method. Although a unique device implanted under a person’s skin would be a highly secure authentication method, it is not practical.
In the real world, usability is as important as security. The costs of security failures can be read about in headlines about high-profile breaches, but the cost of usability failures are suffered more quietly. These costs manifest in the workplace in the form of productivity loss and help desk expenses. When employees have a cumbersome process for logging in to the applications they need to work, they will either spend less time working and more time attempting to log in while also burdening the help desk with the increased need for assistance, or they will find a way around the login process sacrificing the security that was put in place.
One of the most widespread and well-known methods of authentication are passwords. Passwords have been existing for a long time. However, it’s becoming more and more complicated to use password authentication as we have to create not one but many various passwords. An average person uses about 25 different websites and applications that require a password. To feel safe, you need to create reliable passwords that should be long enough and consist of various numbers, letters, and characters. The problem is that it’s pretty hard to remember all these passwords. Trust us, and even if your memory is good enough, it’ll be rather tricky for you to recall all your passwords.
In a data breach, such as the one that occurred (168 million users), passwords became the favourite targets of programmers. According to many security programs, websites can store passwords only in a “hashed” form (they’re cryptographically changed so that it’s impossible to read them directly, but they can be easily recognised while logging in). All these precautions are made as hackers can steal a website’s database with all the passwords. Nowadays, many malware programs are created with the primary goal to steal your passwords and personal information.
If your information is cryptographically transformed by the websites properly, you may not worry about your data. The process of reconstructing passwords is challenging and time-consuming. Nevertheless, not all websites are so conscientious, and that makes stealing passwords quite an easy task. So it’s not safe to use passwords or simple variations on every website. Hmmm… if it’s not safe to use passwords, what should we use? There are various kinds of authentication. Let’s look at the most common ones.
Despite all the passwords, many services allow you to add a second level of security through two-factor authentication. It can either be a code generated on your device or sent to your phone. It’s also possible to create such code on an external device.
At first glance, this type of authentication may seem much more reliable than simple passwords. Nevertheless, here are some pitfalls too. The problem is that the user could lose access to his SIM or a phone card or the process responsible for the code generating. Worst case scenario, you might even lose your device.
CAPTCHAs are a type of Turing test that we previously described in one of our articles about Artificial Intelligence. Its main goal is to make sure that you’re not a robot. Users are asked to perform some tasks that bots are not capable of doing. During such tests, various images are used. While bots can identify an idea by reading the source code, they won’t understand what these images depict.
There’re different types of CAPTCHAS. One of the most common is the text CAPTCHAS, where you need to look at random combinations of letters and numbers in the picture, determine them and finally enter the characters in the attached form. Some text CAPTCHAS could also be rendered as MP3 audio recordings as bots are only capable of determining the presence of the audio but not it's content.
The other types of CAPTCHA are the following:
- 3D Super CAPTCHAs — requires identifying an image rendered in 3D
- CAPTCHA “I’m not a robot” — requires a user to check a box
- Marketing CAPTCHAs — requires typing a particular word or phrase related to the sponsor brand.
- Math CAPTCHAs — require a user to solve a simple mathematician task.
This security process relies on the unique biological characteristics of a person to verify whether it’s true or not and that he’s who he says he’s. A user’s biometric data is captured and then stored in the database. One of the main advantages of biometric information is that you won’t forget or lose it.
Various types of biometric authentication:
- Finger vein identification — this is the most common means of authentication that is used in the majority of digital devices.
- Face identification — this technology is capable of scanning and identifying your face.
- Voice identification — the technology relies on specific characteristics created by the shape of the speaker’s mouth and throat.
- Finger scanning — the type of authentication that resembles an ink-and-paper fingerprinting process. This kind of authentication is also found as a Touch ID.
- Iris recognition — the goal of this authentication method is to identify people based on unique patterns within the ring-shaped region that surround the pupil of the eye.
What’s essential is that biometric data can’t be cryptographically changed. In other words, that means that this data can’t be hashed. The thing is that all biometric data can never be the same. If we store biometric data cryptographically transformed, we won’t be able to compare it with other data. Even the slightest variations would change this hash.
Another disadvantage of biometric data is that it’s pretty challenging to use this data online. First off, it’s pretty tricky to read biometric data remotely. While a device can verify the integrity of a fingerprint scanner and camera, an online service won’t be able to. In case we won’t find a way to store our biometric data securely, it always would be highly vulnerable to theft.
Authentication And Machine Learning
Imagine you’re going for a walk and notice your friend. There is an intricate process in your brain before you realise that you know this person. You need to take a lot more things into account than just a name or password. The human’s brain is much more complicated than any intricate technology or mechanism. We look not only at biometrical data, such as fingerprints, voice or face identification, but also at human’s behaviour.
Machines become more and more capable of observing and analysing human behaviour. It can significantly contribute to improving other authentication procedures. For instance, our computer would be able to recognise the way we type our messages or passwords or even the way we talk on the phone. As a result, by learning how we behave ourselves, our devices will be able to determine their proper owner and, in case of danger, to shut down or erase themselves.
Public And Private Key-pairs
This kind of authentication is the main characteristic of asymmetric cryptography. It can be primarily found in such systems as Bitcoin, but public and private key pairs might easily find use in the authentication systems.
The user’s private key can be stored on the device, and the public one can be uploaded and stored on a service’s servers. As a result, you’ll be able to use the same key pair for various services.
The user wouldn’t need to transmit a password to log in but would create a signed message specifying details of the current login. It might be limited to some actions, such as access to specific folders or activities.
The Authentication Methods
The most common authentication method is the password. A string of characters is used to verify the identity of a user, known to both the user and the service provider.
From a security standpoint, these are notoriously weak for two reasons. First, because it is a shared secret, meaning that it is stored somewhere (the application’s database) and known by the user (often written down). This has been corrected for, somewhat, by hashing requirements for password storage. This still places the onus on the user to have a password (many users have over 100) stored in their memory and not recording it anywhere from where it can be stolen for apparent reasons passwords do not do a great job of meeting the definition of authentication, proving that you are you, since anyone with your password can pretend to be you.
It is not even as if the password is trading weak security for increased user convenience. Constant resets and increasingly stringent requirements make passwords a consistent source of productivity loss and help desk calls.
A personal question about the user, often used in addition to passwords.
There’s still a password, and this is merely adding a second shared secret. Answers to the security questions, such as street names and your mother’s name, can be easily discovered on the internet and are a lower barrier to entry than the initial password.
On their own, these are not inconvenient since they do not likely require help desk calls or reduce productivity. However, since they often accompany a password, they add another step for the user without providing them additional security.
Mobile Push Notifications
A notification is sent to a user’s mobile device, asking them to select “yes or no” as to whether or not they are trying to access a specific resource.
Mobile push notifications are more secure than passwords or knowledge-based questions because they require physical possession. However, this method is still rife with security issues. Mobile push notifications are vulnerable to security issues on the mobile devices themselves, such as SIM card hijacking, malware, or spyware on the device. Other security issues include notification flooding attacks that cause the user to select “yes” so routinely that they ignore if it is, in fact, themself who is requesting access.
This is relatively easy once set up, as it only requires a device that the user already has, their mobile device. However, there is some inconvenience stemming from the need to always have a mobile device when logging in on other devices, such as their desktop computer or laptop.
Mobile Sms Notifications
Sends a verification text message requiring the user to reply “yes or no”.
These are very easy to spoof or compromise via a man in the middle attack. As the text is sent over the standard cell network, these messages are not encrypted and intercepted.
Similar to mobile push notifications, these are pretty easy for users to navigate without a help desk but cause some inconvenience due to the need for the user’s mobile device to be on hand at all times.
Time-based One Time Password (Otp)
A password or PIN is valid for only a single session. This method requires a computer-generated code that changes every 30-60 seconds, depending on the configuration. The code is delivered via mobile app, hardware token, or sent to a user over SMS.
Time Passwords are generally used in combination with passwords and are vulnerable to man-in-the-middle attacks, and are a shared secret, creating two attack vectors.
They are reasonably burdensome for users given the need for external hardware and the small amount of time to copy the one-time passcode from an external device to log in.
Out-of-band Voice/Call Back Authentication
The platform being accessed calls the requester's phone number to verify identity.
This is not very secure as phone calls can be redirected or intercepted. Suffering from the same issues as SMS authentication, a phone number is not a fast identity verifier.
This requires multiple devices and answering a phone call causing significant friction for the individual attempting to log in.
A physical or behavioural human characteristic such as facial recognition, fingerprinting, retina scans, etc.
Biometrics are sensitive, and it’s near impossible to spoof someone’s biometric. However, if a biometric is stolen, it cannot be changed. Therefore, biometrics can be a very secure authentication method, as long as the biometric data is stored securely. If a biometric is stored improperly, such as on the cloud, it can become a shared secret and subject to leaks.
This is an easy to use method for individuals because a biometric is “something they are”. As long as false positives are minimised, this is an elementary form of authentication.
Public-key Cryptography (Pkc)
A cryptographic system relied on pairs of keys, including a private key stored securely on the device and a widely available public key.
This type of technology has been used to secure digital transactions for 30 years. Similar to biometrics, this can be a very secure authentication method as long as the private key is stored in a safe place.
With an application like Beyond Identity that manages asymmetric keys, this can be very easy to use. For a user logging in, it feels as though they only enter their username, and that is it. There is no need for a second device, a hardware token or the memorisation of a code.
Which password authentication method works best for businesses?
Every day, it seems another company falls victim to a data breach. Hackers are using increasingly sophisticated techniques, so it has become so crucial that businesses have robust security measures in place. The key aim of a secure system is to certify that only authorised users can gain access—in other words, your security measures should allow legitimate users in and keep cybercriminals out.
Password authentication methods can assist with access management by providing MSPs with extra layers of protection. To choose the suitable password authentication methods for your MSP and your customers, it’s essential to understand the differences between them. This article will explain how each of the primary password authentication methods works and compare the advantages of various password authentication methods to help you make an informed decision.
What are the most common authentication protocols?
Authentication protocols are the designated rules for interaction and verification that endpoints (laptops, desktops, phones, servers, etc.) or systems communicate. For as many different applications that users need access to, there are just as many standards and protocols. Selecting the proper authentication protocol for your organisation is essential for ensuring secure operations and use compatibility. Here are a few of the most commonly used authentication protocols.
Password Authentication Protocol (Pap)
While common, PAP is the least secure protocol for validating users, primarily due to its lack of encryption. It is essentially a routine log in process that requires a username and password combination to access a given system, which validates the provided credentials. It’s now most often used as a last option when communicating between a server and desktop or remote device.
Challenge Handshake Authentication Protocol (Chap)
CHAP is an identity verification protocol that verifies a user to a given network with a higher encryption standard using a three-way exchange of a “secret.” First, the local router sends a “challenge” to the remote host, sending a response with an MD5 hash function. The router matches against its expected response (hash value) and depending on whether the router determines a match, it establishes an authenticated connection—the “handshake”—or denies access. It is inherently more secure than PAP, as the router can send a challenge at any point during a session, and PAP only operates on the initial authentication approval.