The state of digital user authentication today is undeniably messy. Many users rely on hundreds of authenticators, including passwords, biometrics and cryptographic keys, to have their digital identity verified by devices, applications, services and other digital entities. Adding to the authentication mess are misunderstandings and misconceptions about the pros and cons of each method.
Let’s take a look at the most common digital authentication methods and explore why combining methods using MFA helps achieve stronger authentication.
Knowledge-based factors
Knowledge-based authentication methods involve something the user knows, such as a password, passphrase or PIN.
Passwords are sequences of characters that only one person should know or be able to retrieve. Types of passwords include PINs — short numeric passwords — and passphrases — long phrase-style, multiword passwords. Pundits have proclaimed the impending death of passwords for a good 20 years because of their numerous weaknesses. While their use has begun to decline, passwords remain widely used.
Passwords deliver some important benefits. Most people are accustomed to passwords, so they require little or no training. Users who forget or lose their password can typically reset it rapidly and regain access regardless of where they are or what day or time it is. Plus, nearly every technology already supports password use, potentially making its use inexpensive and fast.
Passwords, however, do have their weaknesses. They can be guessed, cracked, phished and intercepted. Attackers can then use stolen passwords to launch attacks. Also, password management, including password creation, storage, retrieval and especially memorization, is often a burden for users and organizations.
While passwords still play a valuable role in digital authentication, they are frequently compromised, and many users dislike them.
Inherence-based factors
Inherence-based methods include user features, such as biometric or behavioral authentication.
Biometric characteristics, including fingerprints, facial recognition, iris scans and voice recognition, have become increasingly common. Most laptops, smartphones and other devices available today have added native support for reading these characteristics. Behavioral authentication involves analyzing keystrokes or mouse movements to identify users.
A widespread misconception about biometrics is that they are a much stronger form of authentication than passwords. As NIST’s Digital Identity Guidelines explain, the major drawback of biometrics is that they aren’t necessarily secret. A user’s face, fingerprints and other biometric characteristics are visible to others and can potentially be stolen or replicated. For some, this raises concerns about privacy concerns.
Biometrics and behavior-based factors are also susceptible to false positives and false negatives. While convenient, biometric authentication requires careful consideration of its pros and cons.
Possession-based factors
Possession-based methods are something the user has. Most involve cryptographic keys stored on a device. Once the system issues a challenge to an authentication request, the device uses the secret key to sign or decrypt it, proving its legitimacy.
- One-time passwords verify users with a single-use, time-based code, often sent via text. While they offer stronger security than solely password-based authentication when used for MFA, they are susceptible to phishing, interception and user friction.
- Authenticator apps verify users’ identities using a mobile app that generates a time-based, one-time password or push approval notification. While safer than text-based one-time passwords, they introduce user friction and issues related to device loss, phishing and authentication fatigue.
- Hardware tokens authenticate users with a dedicated, tamper-resistant physical object, such as a key fob or USB token, that stores a cryptographic key. The device displays a code that changes frequently and is synchronized with a remote server. While resistant to credential theft or phishing, hardware tokens can be costly — issuing, replacing and managing them — and they might introduce user friction and management challenges, for example, if a token is lost or stolen.
- Smart cards authenticate using a physical card with an embedded chip that stores a secret cryptographic key. Like hardware tokens, smart cards are resistant to credential theft or phishing, but can be costly and introduce user friction.
- Device-based authentication verifies users’ identities based on whether they are using a trusted, registered device, usually using a stored credential such as a device certificate, cryptographic key or secure token bound to the device. While generally user-friendly, it can be a security risk if attackers gain physical access to trusted devices.
- Passkeys use cryptographic key pairs to authenticate users. Users who want to use a passkey often receive a password first; after they have been authenticated once using a password, the OS on a device asks them if they would like to use a passkey instead of the password. This results in a secret cryptographic key being securely stored within the device. When users need to authenticate, they provide a PIN or biometric that unlocks access to that secret key, a second authentication factor.
The primary benefit of passkeys is that they provide passwordless authentication, greatly reducing the odds of successful phishing attacks. Even if an attacker steals a user’s device password, for example, the attacker would still have to gain unauthorized access to the device itself to use that password and access the key. Passkeys, however, are still relatively nascent and not universally supported across all systems. They also introduce privacy concerns and can be difficult to provision and manage.
Adaptive authentication
Adaptive authentication, related to risk-based authentication, grants or denies users access based on a list of factors, including IP address, user role, location, device, sensitivity of the data being accessed and other risk factors. These context-based elements are the basis of the zero-trust security model. Using zero trust, organizations can set strict authentication requirements to ensure continuous, rigorous authentication rather than a single check at the security perimeter.
One factor isn’t enough; organizations need MFA
It is not recommended to use any single knowledge-based, inherence-based or possession-based authentication factor as the sole verification method. Using MFA adds layers of security, reducing the risk of account compromise.
For example, an application might require users to verify themselves first using a username and password, then send a push notification to an authentication app for a second factor — knowledge and inherence. Or users might sign onto their trusted laptops using facial recognition — possession and inherehence.
MFA is not immune to issues, however. User friction, operational and integration complexity, and management issues are common. Certain forms of MFA are also susceptible to phishing and MFA-related attacks, such as push bombing and SIM swapping. This is why phishing-resistant MFA methods, such as those listed above that use cryptographic methods, are recommended.
Karen Kent is the co-founder of Trusted Cyber Annex. She provides cybersecurity research and publication services to organizations and was formerly a senior computer scientist for NIST.
