There are currently a fair amount of methods for double authentication. Are these methods helping companies reach their security goals? How do you choose the best method? Can biometrics help achieve your goals?
Two-factor authentication is a security process in which the user provides two means of identification from separate categories of credentials; one is typically a physical token, such as a card, and the other is typically something memorized, such as a password.
Some examples of standard two-factor authentication are:
- SMS Verification: when using your banking app (whether on phone or web), you may receive an SMS after logging into your account using your password that includes a one-time-use code in order to validate further transaction. This method is convenient as most people have a mobile phone, but if you don’t have coverage you will not receive the message.
- Google Authenticator/App-Generated Codes: Some apps can generate temporary codes. The most popular example is Google Authenticator, which Google makes for Android and iPhone. Install the app, scan the code when setting up a new account, and the app will generate new codes every 30 seconds or so. You’ll have to enter the current code displayed in the app on your phone as well as your password when you log into an account.
- Physical Authentication Keys: This is just a small USB device you put on your keychain. Physical U2F token already exist to secure your Google, Dropbox, and GitHub accounts. Whenever you want to log into your account from a new computer, you’ll have to insert the USB key and press a button on it without the need for typing codes. These devices should work with NFC and Bluetooth in the future for communicating with mobile devices without actual USB ports.
Authy also does a very good job of this, complete with encrypted backups of your codes that make it easier to move between phones. This method is good because there is no need for signal or Internet access, but is it not as intuitive as receiving an SMS.
Why Do We Need Double Authentication?
The idea is to set up a more secure verification of identity of the user. This goal should be put into perspective. When Apple launched Touch ID on iPhone 5, the system was proven to be flawed as it could be hacked by photographing a fingerprint from a glass surface which once put onto a thin film worked to unlock the phone. However, Apple’s primary reason for introducing Touch ID was in fact ease of use more than security. So, the reason leading a company to choose an authentication method should be clear in order to identify its success.
What Are the Downfalls of Current Methods?
Currently, solutions with physical tokens work better than SMS verification and one-time-use codes because it can’t be intercepted and messed with. It’s also simpler and more convenient to use. However, the tokens can be lost and there is still the possibility of someone intercepting the communication.
Is There Any Other Method That Could Work Better?
There is a recent trend in authentication to use more and more biometrics. This trend has arisen due to the drop in cost and the improvement of technology, making it much more accessible and mainstream. Biometrics is the measurement and statistical analysis of people’s physical and behavioral characteristics. When used for authentication, the idea is that everyone is unique and an individual can be identified by their intrinsic physical or behavioral traits such as fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, keystroke dynamics, DNA, etc.
The University of Washington recently published a very insightful study. They have devised a way to send secure passwords through the human body — using benign, low-frequency transmissions generated by fingerprint sensors and touchpads on consumer devices. UW engineers used a smartphone to send a secure password through the human body and open a door with an electronic smart lock. These “on body” transmissions employ low-frequency signals generated by the phone’s fingerprint sensor.
Lloyds Banking Group also prototyped a solution using heartbeat authentication to prove a user’s identity, ideated in collaboration with DMI.
Would Biometric Authentication Be Applicable to Your Customers?
Here’s how you find out which authentication method makes the most sense for your company:
Step 1: Identify what your goals are
Step 2: List the different methods that could help you achieve your goals
Step 3: Make an assessment of the cost of implementing the new method vs. added value of the method
Step 4: Test your favored methods with your users and get their feedback
Step 5: Implement
Agathe Caffier, Senior Counsel, International Operations and Privacy Specialist