Guide to Digital Identity — Part 2 (Authentication)
In the previous article (Guide to Digital Identity-Part 1), we talked about the basics of digital identity and authentication methods. (If you haven’t already read it, read it now!).
The purpose of this article is to help you understand when to use which authentication method. We will talk about the details, pros and cons, and use cases of the various authentication methods.
Let’s start with the fundamental authentication methods introduced in part 1.
This method requires a unique id and password for authentication. The unique id could be an email address, username, or phone number.
The following are the types of password-based authentication:
- Email/Username and Password Login
In this method, you can ask your users to create their accounts by entering their email address/username and password. Note that they need to provide the same credentials to access their accounts later on. In addition, you can make email verification mandatory or optional based on your business requirements.
Upon entering the correct credentials, the user is allowed access to the desired resource.
Businesses that rely on email notifications for promotions and updates should use Email Login. Companies also widely use this option to allow only domain-specific email addresses to register and log into their portals.
On the other hand, applications where the real name or identity is not needed should use Username Login.
2. Phone and Password Login
This method requires the user to register and log in via their phone number and password. In addition, phone number verification can be done during registration via a One-Time Passcode (OTP). Upon verification, users can log in using their phone number.
This authentication method is most commonly used by public websites and mobile applications such as food delivery, cab services, etc. It is beneficial for customers who do not actively use or maintain their email or social accounts. The advantage is that people of all ages can easily use it.
Password-Based Authentication is the most primitive technique used for user verification. It uses something you know (email address/phone number/username and password) as an authentication factor.
Although it is easy to use and implement, this authentication option faces the following disadvantages:
- Requires the user to remember the credentials.
- Password strength plays an important role in the confidentiality of the password.
- Does not provide proficient identity verification.
- Prone to brute force and phishing attacks.
However, you can easily overcome these disadvantages using Passwordless Authentication (explained later in this article).
This method involves signing in to third-party websites using existing social media credentials (Facebook, Twitter, etc). In this case, the social networking website acts as the Identity Provider (IDP) during the authentication process.
Note that the IDP never shares any password; it only provides the status of the authentication request.
This form of authentication uses something you have (social account) as an authentication factor, so the user is not required to fill out a registration form.
Forward-looking businesses should use social login to enhance the user experience on their websites. After all, there is no need for the user to fill out a registration form or remember complex passwords.
However, for companies in regulatory and security intensive industries such as banking, insurance, healthcare, etc., social login is not preferred, the reason being these accounts are vulnerable to sophisticated and novel attack methods.
Advantages of Social Login:
- Eliminate the need to remember multiple passwords.
- Frequent maintenance of the authentication system is not required.
- Ability to personalize user experience based on the personal information received from the social provider.
Disadvantages of Social Login:
- Potential loss of privacy
- Security threats
Be warned that Social Login might not be an ideal choice for all businesses; B2C companies may benefit far more from Social Login than B2B companies. Even in the B2C segment, some websites might decide against offering Social Login if their target audience is aged 55 or older, as these users are less likely to have social accounts.
Passwordless Authentication / Instant Login
The concept of Passwordless Authentication was introduced to overcome issues with password-based authentication. In passwordless authentication, the user can log in via either a magic link or an OTP received by email or text message.
It uses something you have (email address or mobile device) as an authentication factor.
Passwordless Authentication, as the name suggests, is a type of authentication that lets users log into their profiles without a password. For example, a user can register an email or phone number and receive an OTP on their registered email or phone number for each login. You can configure Passwordless Login in the following ways:
- Magic Link via Email: This method requires the user to enter the email address to receive a unique link that can only be used once for a limited time for login. To log in, the user needs to click the unique login link.
- OTP Login via Email: This method requires the user to enter the email address to receive an email with a unique one-time passcode. The received OTP expires in a limited time. To log in, the user needs to enter the OTP into the application.
- OTP Login via Phone: This method is similar to OTP Login via Email, except that the user enters the phone number instead of an email address to receive the unique one-time passcode.
- Delegated Login: This method allows the user to log into devices such as smart TVs, gaming consoles, IoT devices, etc. that are otherwise not accessible on web or mobile devices. This method delegates the authentication to a linked device. On successful authentication, the user is logged into the parent device that initiated the authentication request.
Workflow Example: The user enters the registered email on a TV app (Smart Device) and requests a login. The linked device receives the login request on mobile, laptop, etc.
The TV app keeps checking for verification until the response is received. Upon verifying the authentication request on the linked device, the user logs into the app on the TV.
- Push Notification: This method requires users to install an authentication app on their mobile device. When a user attempts to log in on the web application, it sends a push notification on the connected mobile device for approval. Once approved, the user logs into the web application.
Advantages of Passwordless Authentication:
- No need to remember any password.
- Automatic identity verification as a part of the login process.
- Enhanced security since no use of preset passwords.
- Protects against phishing, credential stuffing, dictionary attack and other password related attacks.
- Cost-effective and easy to implement.
Disadvantages of Passwordless Authentication:
- Dependency on third-party services.
For example, if the SMS or email gateway is down, the user won’t be able to log in.
Barcode authentication involves logging into the devices or services by scanning a barcode without any manual typing. Barcodes can be used by users to log into their devices, including personal computers or desktops provided at the workplace and secured with an active directory.
It uses something you have (barcode card) as an authentication factor.
A typical barcode-based authentication system consists of the following:
- Barcode Scanner: To read the barcodes.
- Card or Device: A portable card or device that contains a barcode.
- Identification and Authentication Host: The host connects with the barcode scanning device for the identification of the scanned barcode. It first gets the user identification code and related information and then verifies whether the user conforms to the conditions of authentication or not.
Advantages of Barcode Authentication:
- Easy to use and efficient.
- Less costly when compared to other card-based authentication methods.
Disadvantage of Barcode Authentication:
- It is less secure because it is easy to copy or steal barcodes.
Barcode authentication might meet your organization’s needs if you prioritize convenience, cost, and leveraging existing technology investments over security. It is crucial to weigh the pros and cons and consider a more secure authentication method if security is a concern.
Biometric authentication involves the use of unique biological characteristics of the individual for the verification and authentication of identity.
The user’s biometric data is captured and stored in the database for use during user verification. Upon verification, the application confirms user authentication.
It uses something you are (fingerprint, face, or retina) authentication factor.
Biometric authentication is commonly used to control access to digital resources such as smartphones, computing devices or physical resources such as rooms, buildings.
The following are the types of Biometric Authentication:
- Fingerprint Authentication
Fingerprint authentication compares a user’s fingerprint to a stored fingerprint to validate a user’s identity. For security reasons, the application stores fingerprint data in encrypted form for verification. It uses electronic fingerprint readers or built-in fingerprint sensors to identify the users based on their unique fingerprints.
Fingerprint authentication is better in terms of performance than password-based techniques. It takes less than a second to verify the identity of the users, which is significantly faster than the process of entering a password. Also, the user is not required to memorize the password.
2. Face Recognition
Face Recognition works by identifying and verifying an individual using their face.
The face recognition application uses 80 nodal points as endpoints on a user’s face to measure the variable of the surface. These 80 nodal points include:
- Length or width of the nose
- Depth of the eye sockets
- Shape of the cheekbones, etc.
The face recognition application then maps these facial features into digital data mathematically and stores them as a faceprint.
It utilizes deep learning algorithms for comparing the live digital image captured with the already stored faceprint to verify the identity of an individual.
To add facial recognition and analysis feature to an application, you can use:
- Amazon Rekognition part of the Amazon AI suite (for image analysis)
- Google Cloud Vision API, which uses machine learning to detect, match, and identify faces
Facial recognition systems can quickly and accurately identify target individuals when the conditions are favorable. However, if the user’s face is partially obscured or in profile rather than facing forward, or if the lighting is insufficient, this type of application is less reliable and can lead to false-positive results.
Face recognition can be used to mark attendance where the employees work from remote locations.
3. Retina Scan
Retina scan technology uses an image of the retinal blood vessel pattern of an individual that serves as a unique identifying trait of the person to control authentication and access.
High-security locations use retina scan authentication for nuclear reactors, defense locations, etc. It requires the person to focus on a single point for about 15 seconds for the retina scan.
Retina scan authentication does not require as much computer memory when compared to other biometric authentication methods.
Advantages of Biometric Authentication:
- A quicker way of user authentication.
- Unlike other authentication methods, this way is easier for the user as there is no password or additional device required as part of the authentication.
- Users do not lose biometrics, unlike authentication cards/keys.
Hence, this authentication method allows businesses to save resources and costs typically associated with having to support forgotten or reset password requests.
Disadvantages of Biometric Authentication:
- Requires integration with third-party.
- May require additional hardware.
- Cannot be reset if compromised.
Card Swipe Authentication
Card Swipe authentication involves a smart card, which contains an embedded microchip. The embedded microchip can be a memory chip to store identifying data or a processor chip to process the authentication information.
This chip can store multiple identification factors of a user, such as a password, biometrics, etc. When the user swipes the card into a smart card reader, the card executes authentication.
This method uses something you have (card) factor.
Government, corporate, and bank (credit/debit) cards are examples of this authentication. The embedded microchip in the respective cards stores the required information for the authentication.
For a corporate office, swiping the card is enough, while bank and government cards often require an additional PIN or OTP for advanced security.
Advantages of Smart Card Authentication:
- Reduces the threat of stealing stored or transmitted information from a computer by hackers.
- Information processed on the card never has to leave the card or be transmitted to another machine.
Disadvantages of Smart Card Authentication:
- The chip can store limited information; thus, the encryption options are limited too.
- Increased chance of data getting compromised due to smaller or shorter encryption keys.
- Can be stolen or lost.
2FA (Two-Factor Authentication) or MFA (Multi-Factor Authentication)
Two-factor or multi-factor authentication can be used as a step up and adaptive authentication to provide an additional security layer. Hence, it plays a critical role in the Digital Identity domain.
The next article will cover an in-depth analysis of this essential feature.