Review Of The Main Authentication Mechanisms Used

Review Of The Main Authentication Mechanisms Used

Jorge Martínez

Digital Marketing Manager at buguroo

Views 577

Review Of The Main Authentication Mechanisms Used

10.12.2019 05:00 pm

Technology is advancing at a rapid pace. This not only favors the development of new products that facilitate users’ lives, but also becomes a new attack vector for attackers, who see fresh opportunities to obtain economic gain.

This is why companies invest part of their profits in the application of security measures to reduce attacks and provide their customers with greater security.

Among the security measures implemented by different companies in recent years, we find the two-step user authentication techniques when accessing online services or authorizing other actions within them.

Two-step authentication provides the user with an additional step, to demonstrate that he or she is indeed the customer attempting to perform a certain action, and not an attacker. In addition to providing their password, with this system the user must go through a second authentication step to eliminate fraud possibilities.

In addition, today there are numerous directives worldwide that aim to regulate this type of authentication, especially in the financial and online commerce sector. These directives include PSD2, the European directive that regulates the payment services provided for any online service that includes payment activities within Europe. This directive puts special emphasis on security, requesting the strengthening of and compliance with certain security features for payment authentication, known as “Strong Customer Authentication”. This authentication also consists of a two-step authentication that we discussed in one of our past posts.

Until implementation of PSD2 is completed throughout the financial and electronic commerce sector, as its application has been delayed to December 31, 2020, in this post we review the most common 2-step authentication methods used not only at the European level but globally.

SMS authentication

This is the most commonly used two-step authentication method. Virtually all the services that apply a two-step verification mechanism use SMS authentication. This system consists of sending a single-use alphanumeric code via a text message, which the user must enter into the system during the login.

Although it is the most commonly used mechanism, it is not the safest, or the simplest. And considering the rise of malware for mobile devices, it is among the worst in terms of security. On an infected device, the malicious application will have access to any SMS received and can forward it to the attacker's control server.

In terms of usability, the process of entering the code can be really tedious for users if they are looking at the message at the same time, especially if they do the entire process from their own mobile phone.

This technique also incurs a cost for the entities that decide to use it, since sending text messages in order to implement the system involves a cost.

Authentication using OATH TOTP applications

This technology makes use of third-party applications to authenticate the user. The technology is known as OATH TOTP, and it functions in a way very similar to the technique of sending codes by SMS. However, in this case the user will use an application such as Google AuthenticatorLastPass Authenticator, or Latch to generate a temporary authentication code.

OTP authentication systems can use different methods to generate the final password that will be provided to the user. Examples are: event-based authentication, time-based authentication or a challenge-response authentication method.

The main advantages we can highlight are the low cost that their use entails for companies, in addition to the fact that the level of security they offer us is very robust and reliable. Plus, they pose no problems for the user as there is no need to install new applications.

Authentication based on biometric factors

This is a favorite among users, as it is one of the most comfortable in terms of usability as well as being one of the safest. There are different types of biometric authentication. Facial and fingerprint recognition are the most commonly used, although we can also find solutions that use the iris or physiognomy.

Its popularity has been increasing in recent years, and is expected to increase even more over coming ones. This is due to the ease with which the user can access this type of technology and how easy it is to use. In the case of fingerprint recognition all the user has to do is place his or her finger on their mobile's reader.

On the other hand, we can find problems in the implementation of these mechanisms. If the system implementation is not robust enough, an attacker could use simple tricks to authorize the authentication. For example, they could use a photo of the victim in the case of a facial recognition system.

In addition to the use of physical biometric factors to authenticate the user during login, there is also the possibility of providing security through a behavioral biometrics analysis able to identify a user silently (without impacting their user experience), analyzing the way they type, move the mouse, hold their mobile phone, their movements within an application or website, pressure, latency, response speed and many others. This analysis makes it possible to detect if it is really the legitimate user or if, on the contrary, it is an attacker who has managed to fraudulently access the user's account.

Other methods being phased out

In addition to the authentication factors introduced above, we find others that are gradually being replaced by new mechanisms. These include coordinate cards, phone calls, hardware tokens in calculator or USB mode, etc.

Looking forward: continuous biometric analysis

In recent years, large online services companies have opted for biometric authentication, taking advantage above all of the physical biometrics readers incorporated into smartphones. This fact allows us to predict a bright future for this type of authentication, which in addition to being quite good in terms of security is also good in terms of user experience.

However, these methods begin to coexist with new techniques such as the analysis of biometric behavior, which is even less intrusive in the user experience and also provides an element of continuous authentication. This means the user’s identity is not only verified when they use their fingerprint or face for authentication (static authentication), but throughout the user's session when using any online service, which provides a higher level of protection.

At buguroo we are committed to this type of technology and we develop solutions that make it possible to detect if a user is being impersonated or manipulated during an entire online session.


Latest blogs

Nish Kotecha Finboot and Bryan Foss, NED, Visiting Professor at Bristol Business School and member of the FRC Audit & Assurance Council

How Listed Companies Can Use Blockchain to Prevent Auditing and Reporting Malpractice and Avoid Scandal

Not too long ago, there was very little to link Wirecard, the disgraced payments platform in Aschheim, Germany, with Boohoo, the fast-fashion online retailer in Leicester, England, but both have recently been embroiled in high-profile scandals. Read more »

Leon Muis Yolt Technology Services

The Time for Financial Services to Become Truly Digital is Now

The financial services industry looks set to change dramatically over the next couple of years in response to COVID-19. The pandemic has certainly highlighted some inefficiencies and weak spots in current processes for many businesses, such as those Read more »

Granville Turner Turner Little

The Lockdown Money Revolution

Many Brits have found that lockdown has been beneficial for their money, having cut back on personal spending and managing to put away some extra cash. According to eToro, Brits with unspent discretionary income are set to accumulate £75.5bn in Read more »

Sandra Higgins Sysnet Global Solutions

Are You ‘Prescribing’ the Right Security Solution to Your Merchants?

When it comes to leading a healthy lifestyle, eating the right food, taking regular exercise, and maintaining a positive mindset are key. However, despite these best intentions and practices, you still might not get all the nutrients your body needs Read more »

Robert Flowers DivideBuy

It Doesn’t Have to Be the End – How Retailers Can Grow in Light of COVID-19

It’s no news that the retail industry has been flipped on its head by the COVID-19 pandemic. Due to the lockdown, most in-store operations have been shut down, and nationwide furloughs, reduced pay and steady streams of income at risk have fuelled a Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel