What is the definition of authentication? In its most basic form, it entails confirming that you are who you claim to be. Although this appears to be a simple problem, it has proven to be challenging to address in the digital era. The effectiveness of an authentication system is determined by two factors: security and usability.
Security and Usability in Authentication
The most obvious, and frequently discussed, issue is security. The effectiveness of the authentication mechanism in avoiding identity theft or illegal access comes down to this. A tight focus on security, on the other hand, can overlook the practicalities of utilising an authentication mechanism. Although a one-of-a-kind gadget implanted beneath a person’s skin would be a very secure authentication mechanism, it is not feasible.
Usability is just as vital as security in the real world. The costs of security failures are publicised in headlines about high-profile breaches, whereas the costs of usability problems are less visible. These costs show up at work in the form of lost productivity and help desk fees. When employees have a difficult time signing in to the apps they need to work on, they will either spend less time working and more time attempting to log in, putting a strain on the help desk, or they will discover a way around the login procedure, compromising the security that was put in place.
Methods of Authentication
Passwords
The password is the most used, yet one of the most vulnerable, authentication technique. A string of characters known to both the user and the service provider that is used to authenticate a user’s identity.
Security
These are infamously insecure from a security sense for two reasons. For starters, it’s a shared secret, which means it’s both stored (in the application’s database) and known by the user (often written down). Hashing requirements for password storage have helped to mitigate this to some extent. This still puts the onus on the user to remember their passwords (many users have over 100) and not record them anyplace where they can be stolen. Passwords, for obvious reasons, fail to meet the criterion of authentication, showing that you are you, because anyone with your password can impersonate you.
Usability
These aren’t really inconvenient on their own because they’re unlikely to necessitate help desk calls or impede productivity. However, because they are frequently used in conjunction with a password, they add another step for the user while providing no added security.
Push alerts on mobile devices
A message given to a user’s mobile device requesting them to select “yes” or “no” when attempting to access a specific resource.
Security
Because mobile push notifications demand the actual presence of a device, they are more safe than passwords or knowledge-based questions; yet, this method is still fraught with security flaws. Mobile push notifications are prone to security vulnerabilities on mobile devices, including SIM card hijacking, malware, and spyware.
Other security vulnerabilities include notification flooding attacks, which induce users to click “yes” so frequently that they don’t notice if the user is asking access in the first place.
Usability
Once set up, this is relatively simple because it only requires the user’s mobile device, which they already own. However, the requirement to always have a mobile device in hand when signing in on other devices, such as a desktop computer or laptop, causes some trouble.
Notifications via SMS on mobile phones
Sends a verification SMS message to the user, requesting a “yes” or “no” response.
Security
Through a man in the middle attack, these are relatively easy to spoof or compromise. These messages are not encrypted and can be intercepted because they are sent over a regular cell network.
Usability
Similar to mobile push notifications, they are quite simple for consumers to navigate without the assistance of a help desk, although they can create some difficulty due to the requirement that the user’s mobile device be available at all times.
One-Time Password with a Time Limit (OTP)
A password or PIN that is only good for one session. This method necessitates a computer-generated code that, depending on the configuration, changes every 30-60 seconds. The code is sent to the user via a mobile app, a hardware token, or an SMS message.
One-Time Passwords (OTPs) are commonly used in conjunction with passwords and are vulnerable to man-in-the-middle attacks since they are a shared secret, creating two attack avenues.
Usability
Given the requirement for additional gear and the short amount of time required to copy the one-time passcode from an external device to log in, they are fairly demanding for consumers.