By Keisha Mitchell
The Wild Wild Web
In many ways, the world wide web is still the wild wild west and though work is being done everyday to make the internet more secure for all, we must still be vigilant in making the internet secure for ourselves and our customers. Authentication tools that serve as fortresses and guardians for the vulnerable information we exchange are crucial infrastructure that can’t be overlooked when building our online homes. Websites & mobile applications for all sectors, use authentication (the process of verifying user’s identity to access data) because it’s our only means of trusting that people are who they say they are. And while annoying, every time we as users are taxed with creating yet another password, we’re inherently grateful that all of our personal effects aren’t as easily up for grabs in cyberspace.
This can and will be an ever evolving task as technology continues to expand in innovation and consumption, but for now let’s walk through what authentication looks like as a provider and what those options mean at a fundamental level.
The Three Musketeers: All for one, or one for all
In the world of cyber security, there are myriad ways to secure something, but for the general public, there tend to be three basic ways we understand authentication;
PIN: personal identification based only something you would know like a password or personal identification number
Token: an electronic ‘key' of sorts that stores personal information or gives access to an electronically restricted resource, like a bank card.
Biometrics: Unique physical identifiers such as your fingerprints, your facial features, etc.
There are also three fundamental models consumers are given to ask how they’d like to see their information (whether that’s social media profiles, bank statements, membership pages, etc) when they’re ready. Those ways are:
Single-Factor/Primary Authentication
Two-Factor Authentication (2FA)
Multi-Factor Authentication (MFA)
Password Authentication Protocol (PAP)
These methods all serve one purpose; to keep your or the people who trust you with their information safe. But the diverse methods consider different approaches to how that impacts the experience and the overall effectiveness of the security being provided. There may be some methods that serve you and the ones you serve better than others.
What, How and Why?
So when should you use which method and what things set them apart? Well with security more is always best, but sometimes it’s possible to achieve your goals with one centralized method of authentication or a single tool, rather than sending your data request through multiple means of verification. Companies like Auth0 are awesome about eliminating the need to code any authenticity measure in the backend of your website or web app through use of their one-stop shop drag-and-drop authentication features. If you like coding, or want to build a feature completely from scratch, however, each of these methods is completely replicable with basic javascript.
Single-Factor/Primary Authentication
What is it?
Considered the easiest or simplest form of authentication, SFA/Primary authentication occurs when a person matches one credential to verify himself or herself online. It is the most widely used process online today.
How does it work?
The most relevant example of SFA/Primary authentication is the password. A user visits a site and before they can be directed to another page they must enter their chosen password.
Why do people use this?
As mentioned, this type of verification is so common because it’s the simplest for all parties involved, but it’s also the fastest. The drawback, (of course) is that accounts are easily compromised if passwords are shared for any conceivable reason and malware is skilled at attacking this method because of it’s prevalence.
Two-Factor Authentication (2FA)
What is it?
Regarded as an extra layer in verification, Two-Factor Authentication or 2FA, is in use any time two authentication factors are required to gain access to a system or service.
How does it work?
This method is most commonly applied as a third party app for service providers or an extra step in a providers’ login portal. After a user enters their password, they are asked to retrieve (or are sent) a code (typically numeric) to enter within a given timeframe as a last barrier to access.
Why do people use this?
This is a natural evolution of the single factor process and allows for a unique identifier that wouldn't be readily available to bots or frauds due to the time sensitive nature of the code and the fact that it's delivered to a previously registered private information channel only the user would have immediate access to such as text message or email.
Multi-Factor Authentication (MFA)
What is it?
Extremely similar (though not the same) as 2FA, Multi-Factor authentication also requires various steps of verifying a users’ identity. These steps further build on the idea of information only one person would be able to possess at a moment as opposed to memorized, and tend to be a succession of small performance based tasks.
How does it work?
This can look like a user entering their password, then being asked to go to their email to verify their address and last fill out a captcha before being able to any further with their request.
Why do people use this?
Providers like to offer this type of verification when information is particularly sensitive (i.e; financial, medical, etc.). It relies on a tediousness that is often precise in acquiring data like cookies and location from users while they engage with the puzzles. Those specific types of requests are also a good litmus for which requests originate from humans vs bots.
While not super exhaustive, this basic breakdown should help you understand why these methods exist and when you can best employ them. If you’re looking to learn more, or ready to start shopping for solutions for verifying visitors on your site, click over to www.auth0.com today to learn more about your options and find a good place to start for your security needs.
Comments