From passwords to tokens to biometrics

Whenever you access an online service via a website, such as web banking, that website has to make sure that the user requesting access is the rightful owner of the account. This process is called authentication. Traditionally, this process used a username and password to verify users’ identity.

Unfortunately, passwords alone have not proven to be very reliable, so this way of authentication needed to be strengthened with other means. Developers and technology experts have searched for new elements to increase the security level of the process. This is why nowadays we speak of two-factor authentication or multi-factor authentication and we use a combinations of Passwords, PINs, pass codes, username, OTPs, tokens, even our fingerprints, face or voice to identify ourselves in online.

What is multi-factor authentication?

As the name suggests it, it relies on multiple factors to authenticate users. These factors are classified into three main categories of information:

  • Something that you know: this category includes those pieces of information that you are the only one to know. PINs, pass codes, passwords, specific answers to security questions (type: “What is your pet’s name?”) are all part of this category. You usually set up them during your account creation or identification process. Then, every time you request access, you must insert them and the system checks if they match with your previously shared information.
  • Something that you have: this category refers to those hard devices that you received when you first registered for an online service. We are here referring to tokens, smartcards, signing sticks etc. They are used to generate a one-time password (OTP) that you insert into the system, usually along with your username or password. These hard devices are now materialized in dedicated mobile apps which are able to generate OTPs directly on your smartphone.
  • Something that you are: you might be tempted to think that this category includes only those physical traits that do not change over time such as your fingerprints, retinas, face, and your voice. Nonetheless, it also includes some of your behavioural patterns, for example, how fast you type, how you usually scroll on the screen etc.

Multi-factor authentication is activated when elements of at least two different categories are combined: for instance, a password with an OTP, an OTP sent via SMS with your fingerprint. If a PIN code is combined with a password, then they do not constitute a multi-factor authentication method since they are part from the same category.

Is multi-factor authentication really enough to protect you?

Imagine your bank account is your house. You may have some fences to protect it. Every time you leave, you lock the doors and windows. You may even install an alarm system. In a nutshell, you take different security measures to give thieves a hard time breaking and entering, enough to deter them or alert the authorities. Multi-factor authentication works like this. It creates various barriers which make it very hard for someone to get access to your online assets. Even if a mischievous person manages to by-pass the first one, s/he will need a second (or a third) element in a very tight timeframe to complete an authentication.

Multi-factor authentication is one of the most secure methods currently available in the market. Of course, there are some ongoing debates about the reliability of certain factors such as FaceID or TouchID, but the decisive factor in maintaining the right level of online protection remains the human behaviour and care. So, pay close attention to your hard devices and mobile phone and do not share your secret passwords with anyone, not even your family members. Analyse with a critical eye every email or SMS that you receive and become suspicious of anyone asking you to share your personal data and especially your passwords.

Not so long ago, we have put together a series of basic recommendations on how to protect your online identity and assets. Go and have a look here and here!