The phrase “authentication methods” may sound complicated, but actually, we use these methods all the time. They include the passwords we enter to log in to social media accounts, PINs for bank cards, and fingerprint scans to unlock our phones. Even if some methods are more reliable than others, there are no right or wrong ones—their efficiency depends purely on the company’s goals and the risks it faces.
Wait, what is authentication?
Before we start, let’s clear up what authentication is. Authentication is a process that can prove whether something or someone is authentic, i.e., genuine. For instance, the authenticity of a user can be proven by the use of his or her password—if the password is valid, the user is authentic.
Identification vs Authentication vs Authorization. No wonder these three concepts get confused. They do not only sound similar, but they also constitute a single process. First comes identification: a user enters their login (at this stage, we ask, “Who is it?”). Then comes authentication: the user enters their password (we inquire, “How can you prove that you are the owner of the login you entered?”). And finally—authorization: after going through identification and authentication, the user gets the right (authority) to manage their account.
Now let’s dive deeper into the methods. We’ve ranged them from the most widespread to the most sophisticated ones, so you can choose the one that suits you best.
Method #5: IP address check as the least secure authentication method
An Internet Protocol (IP) address is a unique number allocated to every device that connects to the internet. Most probably, you already apply this method if your website requires visitors to accept cookies.
Technology behind the method. An IP address works as a return address to establish a communication with an internet service provider and access the internet. When a server receives the user’s IP address, it can detect geolocation from it.
Benefits. This method helps to prevent cybercrimes by locating an intruder. For instance, if a user is known to live in Los Angeles, and suddenly the server detects that someone is trying to make some purchases from the user’s account from an IP address in Barcelona, then the server can require additional authentication before granting authorization.
Drawbacks. Several people (family members, for instance) can use one IP address, which makes personal user authentication impossible. Also, a VPN can easily mask an IP address and IP location. Thus, it is always recommended to combine this method with others to raise the level of security and prevent hacker attacks.
If an IP address check is not the first thing that comes to mind when we hear the word “authentication” then passwords truly are, so let’s move on to talk about this familiar approach.
Method #4: Password as a widespread but nonsecure method
Authentication using a password is the right method to choose if you want fast and easy implementation, and you do not store clients’ sensitive information.
Technology. Authentication takes place in three stages: 1) A user enters the password; 2) The data is sent to the authentication service through encrypted or unencrypted channels; 3) The service checks the entered data against data saved previously in the database. If the data matches, the user is granted access to their account. If not, the service returns the user to stage one.
Benefits. Passwords are easy to build into any platform or website. They do not require users to get special equipment or spend a lot of time logging in. Also, people are so familiar with the technology that they rarely refuse to use it.
Drawbacks. Some of us have been in the situation when our account on social media has been hacked. Situations like this happen because passwords are easy to snoop. Fortunately, there are several ways you can make the transmission of a password to an authentication service safer.
- Encrypted transmission channels. The encryption happens through a TLS (Transport Layer Security) protocol, one of the many cryptographic protocols (a number of algorithms) that secure data transport. Most of the email services and social media transmit clients’ data only through encrypted channels.
- Hashed passwords. Rather than sending the password itself, it is much safer to convert this password into a specific “code” and send the code instead, and this is how hashed-data transportation works. It is very hard for a hacker to decipher hashed passwords back to text ones.
- Single-use passwords. Imagine what happens when an intruder snoops a multiple-time use password: if no one notices, the hacker can use it as many times as they want. However, if it is a single-use password, the cybercriminal can use it only once.
- Limited number of password entries. To increase security, you can limit attempts to enter a password to fewer than 10. For instance, when a bank client enters their PIN, they are usually allowed to make a mistake only twice before the card is blocked.
For more security, you can combine some of these variations, and, for instance, transmit client passwords in hashed forms through encrypted channels and limit the number of password entry attempts.
Method #3: SMS-based authentication as a safer method that requires two-factor authentication
This method is widely used almost everywhere—from banks to gaming platforms. You can consider this method if the possible breach of your database might lead to substantial losses for your clients.
Technology. The authentication comes in three steps: 1) A user enters their login and password; 2) If the password is correct, the system (through the mobile operator) automatica