Which are the authentication methods and which is the most effective?

Multi-Factor Authentication is now the most popular way to access accounts securely but, as we know, there is a huge number of authentication methods based on MFA.

At the base of all authentication methods, there is the more or less secure identification of the person who wants to access their account to use a service, but which method should we choose and which is the most secure?

As we will see, there is no one correct method because it depends solely on the needs we have, the context and the combination between safety and practicality that often do not go together.

Let's break down the various technologies behind these authentication methods so we can understand why all of them can work well when used for the correct purpose.

Thinking for example of a historical authentication such as “login-password” and a more recent authentication such as the Italian “SPID” we must remember that the two methods were born with completely different purposes.

The former is often used to access e-commerce (which often do not provide stronger authentication systems) while a SPID or "EIC" (Electronic Identity Card) authentication is used for authentications that require an identification of the owner, including legal identification.

Practicality and simplicity of registration are determining factors for the use of one authentication system over another: the more practical, the more people will tend to use it, except in cases where you are forced to use a specific method.

The important thing is to understand why we are forced to use one method over another and that not all methods guarantee the identity of the person who is requesting access to a service.

A long registration, which captures data, images of identity cards, and a visual interview with an operator to verify the identity, is time-consuming, but necessary if you want to use the identity for critical services such as banking.

Let's list some multi-factor authentication systems, starting with the most used MFA system, i.e. email, or rather the set of Login+Password+Email, and then moving on to other more popular systems.

1. Login + Password + Email
2. Login + Password + SMS
3. Login + Password + TOTP Auth
4. Login + Password + SPID Auth
5. Login + Password + CIE
6. Authentication with Digital Certificate (file)
7. Authentication with Digital Certificate (Badge/Pendrive)
8. Password-less systems
9. Password-less systems

1. Login + Password + Email

This authentication method requires you to enter a username, password, and email address. All this information can be communicated to a family member or acquaintance and therefore does not uniquely identify the specific person who is logging in.

For this reason this authentication methodology is not considered a strong authentication, but it can be useful in cases where it is necessary to provide access to a group of people to content that is neither confidential nor critical, thus maintaining a single account to handle. Not everyone is an IT technician and having to manage multiple accounts is onerous in terms of password renewals, registration constraints, user deletion, etc. These tasks are still necessary, but depending on the context, they may apply to only one user for the organization. Note, by “organization” we do not refer only to enterprise companies but also to small-medium size businesses such as shops, laboratories or other companies that have to collaborate with large organizations that may not have an IT technician on staff. The important thing is to have flexible tools and to ensure that when you activate this kind of authentication, you do it in a conscious way.

PROS

• Very easy to use
• It doesn't require you to register apps or use employee-owned tools such as smartphones or tablets
• Email is a commonly used tool

CONS

• It's not a strong authentication
• It needs a network connected to the Internet to read the e-mail (in some cases not available, such as if you operate outside Wi-Fi Internet coverage)

2. Login + Password + SMS

This type of multifactor has three critical issues:

Firstly, a phone number must be indicated in the registration. Second, it cannot be considered a strong authentication as it lacks the security of activating biometric recognition as a means of accessing information. The third issue is related to the adoption of SMS and its cost, which can be very significant.

But the biggest problem in adopting this method is that you have to disclose, at the time of registration, the number of your smartphone (often personal) and therefore you are not always willing to use it for business purposes.

Oplon has made this need for privacy a priority and eliminated the need to provide a phone number with our first release of Oplon 2FA.

PROS

• Ease of use
• Doesn't require app registration or use of employee-owned tools
• The SMS is definitely in the hands of a SIM that identifies a legal owner

CONS

• It does not necessarily require a biometric recognition to read the SMS message
• It requires the registration of the phone number which could be a personal number and the user would therefore be hesitant to use it for work purposes
• The phone number, if personal, is sensitive data
• Costs on the part of the service provider that may be sensitive

3. Login + Password + TOTP Authenticators

TOTP (Time-based One-Time Password) authenticators are extremely popular and have caught on very quickly because they are very simple to use and give the possibility to access multiple sites that adhere to the "standard" These authenticator apps are very convenient as they do not necessarily require a Wi-Fi Internet connection and therefore work in all circumstances.

We at Oplon Netwroks have developed an APP, Oplon Authenticator, which allows you to authenticate on sites that use multifactor authentication with TOTP (e.g. Amazon, Microsoft,...) in a simple, secure way and with maximum attention to your privacy. Furthermore Oplon Authenticator allows you to store all your credentials in asafe with the highest levels of security (Credentials Management). The app does not require any registration and/or entry of personal data, it does not require and internet or clou connection and you can download it for free in all digital stores:

TOTP is considered a strong authentication. The manufacturers of smartphone apps have developed the possibility of "exporting" authentication data and importing them into other smartphones for backup purposes. The result? The possibility of having two or more smartphones that have the same TOTP authentication codes at the same time and therefore the risk that several people, as in the case of Mail, can “impersonate" the real owner of the identity.

This is a feature intended to spread the TOTP tool. At Oplon, in developing the TOTP Oplon Authenticator app (link to digital stores), we have adapted it, too, in order not to make our app look like a sort of limitation to the use instead of a security feature.

In fact, we will implement in future versions the possibility of sharing only some authentications, making sharing as easy as possible. Why?

Imagine that you have access to an e-Commerce site and you want to share this access with family members. If you put TOTP to protect your purchases, you won't allow anyone else to come in, thus losing the chance to benefit from volume offers or reward points.

Therefore, because of how it has been implemented and how it has evolved over time, the use of TOTP must allow this possibility.

PROS

• Out standing ease of use
• The app can contain multiple authentication sites, effectively becoming a safe in which to store your credentials
• TOTPs do not need an internet connection, although some apps do require them. Registration is very simple and usually implemented via wizard (guided procedure with simple use of QR-CODE)

CONS

• Requires the use of an App on the smartphone
• Risk of your credentials theft in case your smartphone is unattended
• Need to make credentials backup because the loss of the same would require days of work to restore operation (it is really labor intensive to perform the reset on some sites and it takes a lot of time for each site/service involved)

4. Login + Password + SPID authentication

SPID authentication is one of Italy's technological excellences, as is digital signature and electronic invoicing, which are only now being found in other countries and are a point of reference for Europe.

Contrary to what Italians are usually led to think, Italy is among the most digitized nations in the world, continuing a thousand-year-old tradition of state organization, which began with ancient Rome in which there was the need to manage finances. Now Europe is also starting to use these authentication systems, adopting the Electronic Identity Card (EIC) as a basis. Once again, we are among the most technologically advanced countries in the world when it comes to the digitalization of state services!

SPID authentication is associated with strong authentication due to its characteristics of recognition of the person during registration.

The SPID approach is technological, but the biggest obstacle is the practical difficulty that is encountered every time you have to authenticate with this methodology, as it requires work that takes up time and is often repetitive during the day, causing a lot of time and hesitation in use.

With this app you can authenticate login- and password-less.

PROS

• Strong authentication
• It has a legal implication on the operations carried out
• It allows you to identify the owner of the identity with a good approximation
• Allows data to be shared between multiple entities
• Useful for managing relations with institutions

CONS

• Requires in-person registration, which is time-consuming and technically demanding
• Very complicated to use
• It requires an App that must be installed and registered on your smartphone
• Not suitable for authentications of daily work sessions that would become too demanding for users to bear
• Difficult to apply outside the European context

5. Login + Password + EIC Authentication

The concept is the same as SPID, from which it draws inspiration, at least as an idea, but very simplified because the identity card is mandatory to always have with you and only the electronic one is offered for renewal. So, compared to SPID, it doesn't require any additional bureaucratic time to get it.

Another facilitation compared to SPID also lies in the uniqueness of the APP which is provided for Italy directly by the Ministry ofInterior and you do not have to choose the operator with additional registrations and bureaucratic complexities.

From a technical point of view, it has many features similar (but not the same) as SPID.

Easy registration at level 3 makes the login- and password-less authentication system directly usable.

EIC authentication also has a European value as it is based on the electronic identity card which has become univocal at European level (To be more specific, there is an electronic document that has major adherence at an international level, even outside Europe, than the electronic identity card, which is the electronic passport).

PROS

• Strong authentication
• It has a legal implication on the operations carried out
• It allows you to identify the owner of the identity with a good approximation
• It is essential for one's identity and is issued by the municipality of residence
• Allows data to be shared between multiple entities
• It is very useful for managing relations with institutions
• It is the single identity system at European level
• The app is issued by a single authoritative manager (Italian Ministry of the Interior)

CONS

• It has a degree of difficulty of use that is not high but that is precluded for a few generations
• It requires an App that must be installed and registered on your smartphone
• It needs a network connected to the Internet and therefore cannot be used in some circumstances
• It is not applicable outside the European context

6. Authentication with Digital Certificate (file)

Authentication with a digital certificate client in a completely dematerialized form, i.e. a file, is a system that allows, from a technical point of view, a very strong barrier to entry with a very low computational effort.

Its use is also very simple: once the user has received the file, for example through email and the unlock code on another tool or another email, with a double click it is installed on the keychain of their notebook / smartphone and is ready to use on any browser or software that accesses the key fob(had problems altering this sentence, I think its a bug.)

From that moment on, if the service we connect to requires a certificate and the uploaded one is deemed valid, the service becomes usable.

It is a worldwide standard that underpins SSL (TLS) and is therefore always available to both users and services without the need to add anything on the client and server side.

From a technical safety point of view, it guarantees high standards. From a functional safety point of view, a little less. In fact, if access to your personal computer is not adequately protected, once the browser is launched, the certificate remains available at all times, giving anyone who uses the device the opportunity to impersonate themselves as the legitimate owner.

In addition, the same certificate can be sent to third parties who can use it by pretending to be the owner of the certificate.

A further limitation is that, since the certificate is loaded in the key ring, if you access services with third-party computers, this would require you to upload the certificate to a third-party computer with a very high security problem if you forget to delete it.

The digital certificate also has a very high burden of creation and distribution and on large numbers requires specific tools to carry out massive operations.

At Oplon, we produce a Certification Authority system that serves this purpose but does not change the time to execute the certificate header. In future versions of Oplon Secure Access we are developing a solution that allows you to use this useful tool in conjunction with MFA to provide a third factor of authentication in a "smarter" way, giving an integrated and easy-to-use system that further strengthens the security provided by multi-factor systems for critical services.

PROS

• It is a standard and does not require client-side or server-side installations to be used
• User friendly and easy to use on the service side
• Easy to deploy
• Cost-effective if used as an internal certification authority
• It is very convenient for authenticating daily work sessions: once loaded, access is immediate and guaranteed

CONS

• For large volumes, if not supported by smart tools, it is expensive to manage
• Once loaded on the key fob, it remains available without further requests for user recognition
• Certificates expire and must be periodically renewed and distributed

7. Authentication with Digital Certificate (Badge/Pen Drive)

A big difference between a digital certificate based on a file and one on a badge or pendrive is definitely the non-duplication of the certificate. This is crucial to make it count among the strong authentications.

However, badge or pen drive support has complexities of use: you often need specific drives that are not on your PC and the use is not always fluid and constant, just as it is not easy for the user to understand where the problem lies.

The situation has improved in recent years, but the effort to make this type of authentication work has given rise to new alternative forms of authentication.

Let's not forget that EIC (Electronic Identity Card) and credit cards contain digital badge-type certificates, and their use, for example through smartphones, is greatly facilitated by now recognized standards such as NFC. However, using these tools on personal computers is still quite difficult.

PROS

• On smartphones with MFA, it's easy to use
• If the app used is "locked" on a single tool, there is a one-to-one association between the / smartphone badge (which ensures 95% ownership of the user)

CONS

• They are physical media that must be distributed
• They don't always work when they need to

8. Password-less systems

Passwordless systems eliminate the need for a password.

Until now, we have talked about login+password associated with another authentication factor; with a password-less system, on the other hand, no password is required anymore as the system offers a form of autonomous authentication.

An example of password-less authentication is EIC authentication with 3rd level of authentication that doesn't even require login.

The service offers a QR code that identifies the transaction, it does not yet know who will be operating. The EIC ID app reads the QR Code and, acting as a proxy, after receiving the level 3 certification from the owner, is able to send the ok to the service only after biometric unlocking with the indication of the operator's identity. In fact, a considerable simplification!

The only downside to this approach is that the APP must be connected to the internet. Some might argue that the Internet is now everywhere, but unfortunately the reality proves the opposite. Sometimes, for example in hospitals with basement offices, there is not always Wi-Fi connectivity and they would be precluded from operating in these conditions.

PROS

• Depends on the implementation

CONS

• Depends on the implementation

9. Oplon 2FA Application

Oplon has produced a specific 2FA application to reconcile the convenience associated with the identity of the operator. The Oplon 2FA APP, available on the Play Store and App Store, in a simple but strict way, can only be used on one device at a time through biometrics. By not using notifications, it is therefore completely autonomous from other third-party providers. It only works with Oplon Secure Access authentication.

To ensure reliability and consistency, we had to reconcile ease of use, independence from other providers, and most external factors.

The application is available for free in all digital stores.

PROS

• Easy to install and register

CONS

• You must use an APP
• Needs a network connected to the Internet (Wifi or local Wi-Fi telephone operator)

Biometrics considerations

With biometric fingerprint recognition, a smartphone can be used by multiple people if a fingerprint that does not belong to the identity owner has been previously registered. In practice, it depends on who registers their fingerprints on the phone.

Therefore, if you want to rely on third parties to carry out practices requiring the use of biometric recognition, you can do it even when biometrics are provided as a condition, having previously registered several fingerprints belonging to different people. The legal responsibility would still remain with the owner of the identity who, hopefully voluntarily, has associated multiple unlock fingerprints with several people.

On facial or voice recognition, there are now countless cases of hacking and generative AI systems are becoming commonplace and will soon reach a large audience of users potentially able to make each of us become a hacker.

Use of smartphone notifications:

A common practice across multiple APPs is to use notifications to alert and "notify" events.

Here it depends on how the APPs were made.

In any case, tying an important transaction to the notification alone is fundamentally wrong. You tie yourself to an additional supplier that by adding technology can obviously introduce inefficiencies.

In conclusion

All the MFA systems defined as “strong” mentioned above, can give the certainty that no one uses their profile fraudulently without the authorization or complicity of the owner of the identity.

Oplon studies and researches alternative or improved solutions in its laboratories to guarantee users maximum safety, knowing that people are always kept up to date on the opportunities that technology offers, but also that all the technologies that are proposed have limits that must be known in order not to make mistakes or rather to make as few mistakes as possible in use.