Authentication Methods & Examples
The anonymity that the internet provides can be a huge benefit in many instances but it can also make it extremely difficult to secure sensitive information. Since almost the dawn of the internet, online accounts have been secured with login IDs and passwords. At first, these login ID's were somewhat simple affairs, consisting of words, concepts, and ideas that were easy to remember. The simplicity of these early devices, however, made the accounts they protected extremely vulnerable. This gave rise to more complicated login IDs and passwords.
In spite of constant admonitions about creating strong passwords, however, according to Splashdata's annual list of the worst passwords culled from the dark web, users are simply disregarding this advice and sticking with what they know. In 2018, the two top passwords remained "password" and "123456," just as they have been for the last five years - and most of the last two decades.
User laziness is also only one reason for the decreasing security of login ID's and passwords. Numerous high profile data dumps have flooded the dark web with the login credentials of millions of unsuspecting victims. The diminished security of login credentials to verify a user's identity gave rise to the concept of multi-factor authentication.
What is Multifactor Authentication?
Multi-factor authentication uses a variety of means to authenticate the identity of the user. Multi-factor authentication is sometimes referred to as two-factor authentication but that is actually somewhat misleading. In many cases, one of the factors that are used to determine identity is also dependent on another factor, which actually makes it multi-factor authentication. In the past, multi-factor or two-factor authentication has been based on using one means of authentication from at least two of the following three categories:
Something you have: This can include either a device such as a smartphone, tablet or smartwatch or it can be something you have access to such as an email account or cell phone number.
Something you know: This includes your password and login ID, but it also includes answers to pre-arranged security questions or personal information such as the last 4 digits of your social security number, your address or your phone number.
Something you are: This generally includes some type of biometric scanning, such as facial recognition or thumbprint scanning but more recently it can also include behavioral biometrics like keystroke dynamics.
In recent years, a fourth factor has become more prevalent and that is where you are. Geolocation services allow websites to determine where a user is logging in from. So, if a user were to almost always log in from the southwestern United States and then suddenly log in from another country, it will generally trigger secondary security protocols.
How Authentication Works
For the most part, digital security systems use all four types of authentication factors, even though it may seem to the user they are only using one. For instance, users who have a smart device with biometric scanning capability may simply hold their phone in front of their face or use their thumbprint to gain access to a certain site or app. The system, however, confirms both the IP address of the device the person is using (something they have) as well as their geographical location (where they are). Even though the user isn't manually inputting their login credentials (something they know), they are entered automatically following a biometric scan (something they are). Even though the user themselves seems to only be using one type of verification (facial recognition or a thumbprint scan), they are actually using multiple forms of authentication.
When something changes, such as the IP address of the device a user is using or their geographical location, it triggers secondary or even tertiary protocols. In that case, the user may be directed to answer pre-arranged security questions or enter a code sent to a previously stored cell phone number or email address. In lieu of one item from each of the four types of authentication factors, the system requires two or more factors from each type of authentication, such as login credentials (something you know) and the answers to security questions (also something you know). In some cases, a user may be logging in from a laptop but still, have their smartphone handy. In that case, they may have a code sent to their cell phone. In that case, the system is still able to authenticate via something they have when the IP address they are trying to log in from isn't recognized.
Multi-factor authentication keeps non-authorized users from being able to login to an account using just login credentials and a password alone. While login credentials remain a cornerstone of online security, they are no longer rigorous enough on their own to maintain proper digital security.
Ready for the next step?
Provide your good customers with a sleek, speedy and secure login experience. Choose invisible device-based authentication or multifactor methods that adapt based on a perceived threat.
See More Resources