When choosing between different authentication methods, businesses may have a myriad of choices, but striking the right balance between security, convenience and cost remains a fine art. As tempting as it may be to replace chunky passwords with a biometric option like fingerprints, it’s likely that this won’t provide the security and convenience expected.
Choosing an authentication method depends on the criticality of the information being protected and the expectations of users. As clunky as they are, passwords continue to remain as the most feasible option when only single factor authentication is required. When this is not enough, hard tokens/biometrics offer additional layers of protection for businesses that require two-factor or multi-factor authentication.
The “Something you know” Factor: Passwords
Security: The security of the password can vary between different implementations. Businesses can enforce strong passwords that are securely stored as a hash with a random salt (e.g. BCRYPT/HMAC with random sha2 – 128 bit salt) or they can simply accept “admin123” stored with minimal/no hashing.
Convenience: The more complex the password requirement, the more this can cause user inconvenience. If it is too difficult, it may scare new/returning users away. If it is too lax, it may also scare users away. The trade-off may be worth it if it prevents a breach that costs more to fix. Whilst the choice depends on individual business requirements, if the information doesn’t require a strong password to protect, why bother with a password at all?
Cost: Cheapest to implement compared to other factors of authentication. Potential investment may include skills, platform updates (to support strong password hashing) and user security awareness education.
The “Something you are” factor: Biometric
Security: As biometric recognition e.g. fingerprint, iris, voice, face etc. relies upon something that you are, it is something you cannot change. If that information is lost, then the victim remains vulnerable for life. Security researchers have already discovered ways to lift fingerprints from touch screens (and even photos) to successfully authenticate as the victim. The security of biometrics decreases over time as it becomes more widely deployed.
Convenience: When it works, it is very convenient. However, this does not work all the time and can result in user frustration. Bad implementations or wet, dirty or damaged fingers may lock users out of systems relying on fingerprint authentication. Noise/disturbance may reduce the success of voice recognition.
Cost: Will require specialist security skills and experience to implement. May also require additional user experience testing to assess impact of privacy concerns/false positives.
The “Something you have” factor: Tokens (Hard/Soft)
Security: These rely on users having something (e.g. a dongle/client certificate) to authenticate. This can be something they carry or ingest. This is relatively secure as long as the user doesn’t lose the item or get it stolen.
Convenience: As users will need to carry the token to access the application, this can be rather inconvenient. This is why soft tokens on smartphones are increasing in popularity (which although are less secure than hard tokens, is better than nothing).
Cost: Tokens expire/get lost and will need to be frequently topped up/replaced. Therefore, token replacement is an ongoing investment for businesses. Let alone the set-up.