How to deploy secure and convenient user authentication?


When choosing between different authentication methods, businesses may have a myriad of choices, but striking the right balance between security, convenience and cost remains a fine art. As tempting as it may be to replace chunky passwords with a biometric option like fingerprints, it’s likely that this won’t provide the security and convenience expected.

Choosing an authentication method depends on the criticality of the information being protected and the expectations of users. As clunky as they are, passwords continue to remain  as the most feasible option when only single factor authentication is required. When this is not enough, hard tokens/biometrics offer additional layers of protection for businesses that require two-factor or multi-factor authentication.

The “Something you know” Factor: Passwords

Security: The security of the password can vary between different implementations. Businesses can enforce strong passwords that are securely stored as a hash with a random salt (e.g. BCRYPT/HMAC with random sha2 – 128 bit salt) or they can simply accept “admin123” stored with minimal/no hashing.
Convenience: The more complex the password requirement, the more this can cause user inconvenience. If it is too difficult, it may scare new/returning users away. If it is too lax, it may also scare users away. The trade-off may be worth it if it prevents a breach that costs more to fix. Whilst the choice depends on individual business requirements, if the information doesn’t require a strong password to protect, why bother with a password at all?
Cost: Cheapest to implement compared to other factors of authentication. Potential investment may include skills, platform updates (to support strong password hashing) and user security awareness education.

The “Something you are” factor: Biometric

Security: As biometric recognition e.g. fingerprint, iris, voice, face etc. relies upon something that you are, it is something you cannot change. If that information is lost, then the victim remains vulnerable for life. Security researchers have already discovered ways to lift fingerprints from touch screens (and even photos) to successfully authenticate as the victim. The security of biometrics decreases over time as it becomes more widely deployed.
Convenience: When it works, it is very convenient. However, this does not work all the time and can result in user frustration. Bad implementations or wet, dirty or damaged fingers may lock users out of systems relying on fingerprint authentication. Noise/disturbance may reduce the success of voice recognition.
Cost: Will require specialist security skills and experience to implement. May also require additional user experience testing to assess impact of privacy concerns/false positives.

The “Something you have” factor: Tokens (Hard/Soft)

Security: These rely on users having something (e.g. a dongle/client certificate) to authenticate. This can be something they carry or ingest. This is relatively secure as long as the user doesn’t lose the item or get it stolen.

Convenience: As users will need to carry the token to access the application, this can be rather inconvenient. This is why soft tokens on smartphones are increasing in popularity (which although are less secure than hard tokens, is better than nothing).

Cost: Tokens expire/get lost and will need to be frequently topped up/replaced. Therefore, token replacement is an ongoing investment for businesses. Let alone the set-up.

Using your FitBit to login? Anything is possible


Did you know that each individual has a unique heartbeat? Researchers from the University of Toronto (Foteini Agrafioti and Karl Martin) have fitted a watch with an electrocardiogram (ECG) sensor to scan your heartbeat and compare it to a database of pre-recorded cardiac rhythms for a match. If successful, this can be used to authenticate the user for email, online banking etc. This is called Nymi, created in 2011 and has been successfully trialled by the Royal Bank of Canada and Halifax – Lloyds Banking Group. If this takes off, every smart watch may be used for user authentication (e.g. Fitbit)

The good: Seamless user experience, less reliance on passwords, works even during elevated heart-rate

The bad: False positives, man-in-the-middle attacks (from continuous authentication), competition against Apple Pay

The overall: Wearable technologies will disrupt the way in which we carry out our everyday tasks. Great competition in this area will hopefully result in a better overall experience for the end user.

For more reading: