Consider this simplified strong authentication process using an SMS One-time Passcode (OTP):
- Step 1: Password
The person creates and memorises a unique set of numbers and letters used to access the system.
- Step 2: Possession
After typing in the correct password, a secondary string of letters and numbers is sent to the user's registered smartphone.
- Step 3: Access
After tapping in the second set of details, the user can get into the system.
Logging on via this method takes time and a few extra steps. But we live in a world where apps contain confidential, personally identifiable information we must protect.
Passwords alone are not enough, as the only security measure standing in the way of total compromise is a string of input characters. Today’s security threats require much more robust protection measures.
The Role of Risk Explained
Some companies use strong authentication techniques to verify every login request. Others use a risk-based authentication method to verify only those requests that seem somehow suspect.
During a login request, the system assesses:
- Locations. Where is the request coming from?
- Timestamps. When is the user requesting a login?
- Frequency. How often has the user tried to log in previously?
Clear risks may emerge. For example, a company may notice multiple login requests from a foreign country during an unusual time of day. Or the system may recognise a routine request from someone who always logs in from that location at the same time.
If a risk is detected, the system can deploy enhanced authentication techniques, such as new passwords or biometric verifications. If no hazard is detected, the user logs on without extra required steps.
Is Strength Worthwhile?
You may believe that your data is already protected and that your company already takes reasonable steps to prevent unauthorised access. In reality, very real data protection problems lurk in almost every environment. And sometimes, companies are required to demonstrate that they are using strong authentication techniques.
The FIDO Alliance advocates for universal strong authentication techniques, and the group uses these startling statistics to prompt compliance:
- Password issues spark more than 80 percent of data breaches.
- Up to 51 percent of passwords aren't original.
A data breach can result in lost revenue, and you may also lose the trust and respect of your customer base. When your customers aren’t certain you will respect their work and privacy, they may choose to work with your competition instead.
If you work in the financial sector, or you accept payments from people in the European Union, strong authentication isn't optional for you. The strong customer authentication (SCA) rules went into effect in 2019, and they require strong verifications for in-app payments in the European Economic Area (EEA).
7 Types of Strong Authentication
You have plenty of options to choose from. However, not all factors are created equal. Different factors have varying degrees of assurance and practical usability.
Here are common types of second factors:
- Security questions: Security questions have traditionally been used for password resets, but there is nothing stopping you from adding security questions as an additional authentication factor.
They’re simple to set up, but they can be hacked or stolen very easily.
- One-time passwords (OTPs): OTPs are more secure than security questions as they use a secondary authentication category. The user has a device (something they have) over and above their password (something they know).
Verification codes or OTPs sent via SMS are also convenient, but there are risks to using traditional OTPs as tokens have been intercepted and compromised.
- App-generated codes: A software-based OTP uses the time-based one-time password algorithm (TOTP) presented via a third-party app.
App-generated OTPs are built with security in mind. But potential smartphone penetration is a drawback.
- Specialized authentication apps: Rather than providing the user with an OTP, this requires users to verify their identity by interacting with the app on their smartphone, such as Okta’s Verify by Push app.
The authentication token is then sent to the service directly, strengthening security by eliminating the need for a user-entered OTP.
- Physical authentication keys: The authentication process is secured by an asymmetric encryption algorithm where the private key never leaves the device. USBs that are plugged in when prompted and smart cards that users swipe are examples.
U2F is a standard maintained by the FIDO Alliance and is supported by Chrome, Firefox, and Opera.
- Biometrics: Authentication is reinforced by something you are over and above something you know and something you have. This is tough to hack, but no method is perfect, and biometrics come with challenges and privacy concerns.
Like passwords, biometric data must be stored in some form of database, which could be compromised. And unlike a password, you cannot change your fingerprint, iris, or retina once this happens. Furthermore, implementing this MFA factor requires investment in specialised biometric hardware devices.
- Cryptographic challenge response protocol: A database sends a challenge to another, and the recipient must respond with the appropriate answer. All the communication is encrypted during transmission, so it can't be hacked or manipulated. These systems sound complex, but in reality, the sender and the recipient finish the communication in seconds.
Any or all of these systems could be right for you and your organisation. A blend of several different techniques could be beneficial too.
Let Okta Help You
Finding the right strong authentication process, and ensuring that it really offers the security your company demands, isn't always easy. We can help.
We have years of experience in helping companies like yours navigate complex questions just like this. Contact us to find out more.
What Is FIDO? The FIDO Alliance.
Strong Customer Authentication. (August 2019). Financial Conduit Authority.
Challenge Response Authentication Protocol. (November 2018). Medium.