The phrase “authentication methods” may sound complicated, but actually, we use these methods all the time. They include the passwords we enter to log in to social media accounts, PINs for bank cards, and fingerprint scans to unlock our phones. Even if some methods are more reliable than others, there are no right or wrong ones—their efficiency depends purely on the company’s goals and the risks it faces.
Wait, what is authentication?
Before we start, let’s clear up what authentication is. Authentication is a process that can prove whether something or someone is authentic, i.e., genuine. For instance, the authenticity of a user can be proven by the use of his or her password—if the password is valid, the user is authentic.
Identification vs Authentication vs Authorization. No wonder these three concepts get confused. They do not only sound similar, but they also constitute a single process. First comes identification: a user enters their login (at this stage, we ask, “Who is it?”). Then comes authentication: the user enters their password (we inquire, “How can you prove that you are the owner of the login you entered?”). And finally—authorization: after going through identification and authentication, the user gets the right (authority) to manage their account.
Now let’s dive deeper into the methods. We’ve ranged them from the most widespread to the most sophisticated ones, so you can choose the one that suits you best.
Method #5: IP address check as the least secure authentication method
An Internet Protocol (IP) address is a unique number allocated to every device that connects to the internet. Most probably, you already apply this method if your website requires visitors to accept cookies.
Technology behind the method. An IP address works as a return address to establish a communication with an internet service provider and access the internet. When a server receives the user’s IP address, it can detect geolocation from it.
Benefits. This method helps to prevent cybercrimes by locating an intruder. For instance, if a user is known to live in Los Angeles, and suddenly the server detects that someone is trying to make some purchases from the user’s account from an IP address in Barcelona, then the server can require additional authentication before granting authorization.
Drawbacks. Several people (family members, for instance) can use one IP address, which makes personal user authentication impossible. Also, a VPN can easily mask an IP address and IP location. Thus, it is always recommended to combine this method with others to raise the level of security and prevent hacker attacks.
If an IP address check is not the first thing that comes to mind when we hear the word “authentication” then passwords truly are, so let’s move on to talk about this familiar approach.
Method #4: Password as a widespread but nonsecure method
Authentication using a password is the right method to choose if you want fast and easy implementation, and you do not store clients’ sensitive information.
Technology. Authentication takes place in three stages: 1) A user enters the password; 2) The data is sent to the authentication service through encrypted or unencrypted channels; 3) The service checks the entered data against data saved previously in the database. If the data matches, the user is granted access to their account. If not, the service returns the user to stage one.
Benefits. Passwords are easy to build into any platform or website. They do not require users to get special equipment or spend a lot of time logging in. Also, people are so familiar with the technology that they rarely refuse to use it.
Drawbacks. Some of us have been in the situation when our account on social media has been hacked. Situations like this happen because passwords are easy to snoop. Fortunately, there are several ways you can make the transmission of a password to an authentication service safer.
- Encrypted transmission channels. The encryption happens through a TLS (Transport Layer Security) protocol, one of the many cryptographic protocols (a number of algorithms) that secure data transport. Most of the email services and social media transmit clients’ data only through encrypted channels.
- Hashed passwords. Rather than sending the password itself, it is much safer to convert this password into a specific “code” and send the code instead, and this is how hashed-data transportation works. It is very hard for a hacker to decipher hashed passwords back to text ones.
- Single-use passwords. Imagine what happens when an intruder snoops a multiple-time use password: if no one notices, the hacker can use it as many times as they want. However, if it is a single-use password, the cybercriminal can use it only once.
- Limited number of password entries. To increase security, you can limit attempts to enter a password to fewer than 10. For instance, when a bank client enters their PIN, they are usually allowed to make a mistake only twice before the card is blocked.
For more security, you can combine some of these variations, and, for instance, transmit client passwords in hashed forms through encrypted channels and limit the number of password entry attempts.
Method #3: SMS-based authentication as a safer method that requires two-factor authentication
This method is widely used almost everywhere—from banks to gaming platforms. You can consider this method if the possible breach of your database might lead to substantial losses for your clients.
Technology. The authentication comes in three steps: 1) A user enters their login and password; 2) If the password is correct, the system (through the mobile operator) automatically sends a single-use authentication key to the user’s phone; 3) The user enters the key in the login form and gets access.
Benefits. This method is quite reliable since it requires two-factor authentication: a password and a code via SMS. What’s more, the authentication uses two different mediums: the internet and the mobile network, which prevents a so-called man-in-the-middle attack.
Drawbacks. Unfortunately, SMSs still get snooped. Hackers can infect a phone with a virus that sets up the software that intercepts SMSs. Since this authentication method usually protects more sensitive data than ordinary passwords do, the breach of this information can lead to huge losses. Also, this method is more costly and requires signing a contract with a mobile operator.
While we are approaching the most secure method of all, let’s talk about the practice commonly used in banking.
Method #2: Token authentication as a method that we all use but did not know its name
A security token is a physical device that contains the holder’s information. Bank cards, phones, and hotel keycards are all examples of tokens.
Technology. When a user inserts the token into the tokenization system (e.g., a bank’s client enters their card in an ATM), the latter checks whether the token is right and gives access to the user.
Benefits. Using a token provides a new level of security since the presence of this material device is needed to access the holder’s account. Also, tokens are usually not connected to the internet, which protects them from a man-in-the-middle attack.
Drawbacks. Both advantages and disadvantages come from a token being a material device—even if they cannot be hacked from the internet, they can still get stolen.
Here we have talked about so-called hardware tokens, but there are also software tokens. These are stored on the device and can be easily duplicated, which makes them less secure than physical ones.
Method #1: Biometric check as the most advanced method
This method is worth investing in by businesses like online banks that require an even higher level of security.
Technology. When a user first logs into the system that requires biometric authentication, his or her biometrics (iris, fingerprints, face, voice, etc.) are recorded. Next time the user’s biometrics are checked and sent to the authentication server, the server compares them to the biometrics previously entered and now stored in the database. Therefore, like the password databases, there are databases containing people’s fingerprints or iris scans.
Benefits. This method is highly reliable since no two people have the same biometrics. Also, a person cannot usually lose their biometrics as they can lose or forget tokens and passwords.
Drawbacks. Biometric authentication often needs some kind of equipment. Imagine that your product aims at a vast audience, and your platform requires a fingerprint scan for authentication. Even if some people now have a scanner on their phones, there is still a strong possibility that you will miss potential clients who possess older phone models. Also, biometric databases can themselves get hacked, which is more dangerous than a password data breach since a user can change a password, but they cannot change their biometrics.
Multi-factor authentication: combine approaches to ensure the best security
Since every method has its advantages and disadvantages, one can combine several approaches to outweigh the cons. Here are the authentication factors you can incorporate together:
- something the user knows (a password, a PIN code);
- something the user possesses (a bank card, a phone);
- somewhere the user is (IP location, GPS location);
- something the user is (Face ID, fingerprints);
- something the user does (keystroke, digital behavior).
Take Gmail as an example. When you log in from your friend’s computer (password authentication), Gmail detects that a new IP address is trying to get access to the account (IP address authentication) and asks for additional authentication (e.g., an SMS-based one). This is how multi-factor authentication works. It is always recommended to combine several methods to increase the level of security and protect your clients from hacker attacks.
Looking for the most reliable authentication method? Check out our biometric authentication solution.