Mobile apps (whether for business or personal use) are an integral part of our lives. More and more of us are enjoying being able to access all the services they offer us, from any equipment, at any time: to illustrate this phenomenon, we can take the example of banking applications. Through which we wish to access, without constraints, our money.
As a user of these applications, we do not pay much attention to sophisticated authentication technologies that secure our uses; However, they help prevent malicious people from impersonating us (and incidentally, emptying our bank account, in the case of a bank app!)
These authentication technologies are intended to verify the identity of a person who wants to connect to a service or make a transaction. In recent years, they have evolved considerably: they have become more difficult to compromise than traditional password-based methods while simplifying the user experience of mobile users. They are indeed less restrictive, integrated into their equipment (tablet, smartphone, smartwatches …) and/or their apps.
They materialize in the form of tokens or soft tokens, QR codes or biometric methods. They combine with each other (we speak of strong or multiple authentications) to bring even more security.
In this article, we offer a brief overview of these new authentication methods.
Different authentication methods
We can classify the authentication methods in 3 categories according to what they rely on:
What we know: Password, security question, name, PIN code…
What we have: Token, One Time Password (OTP), authentication badge, smart card…
What we are: Fingerprint, iris, face, DNA … (what is called biometrics)
The first approach is the traditional approach that offers a significant security risk because it can be easily compromised. The second approach, used in particular by the banking community, offers greater security while being more restrictive for the user (codes may possibly be lost or not received in time during transactions). The interest of the third approach, biometrics, lies in the fact that the user himself becomes an element of authentication, which simplifies the process.
Tokens: a short period of validity
The token comes from an algorithm that generates one-time, short-lived passwords (maximum 1 to 2 minutes); it synchronizes with a client application. This algorithm can be installed on a USB stick or on a smart card which transmits the code by contact with the reading equipment. Given the short validity of the password thus obtained, this technique minimizes the risk of theft. There are also “soft tokens” (“soft” meaning “software”) that are generated by an application (API), as opposed to Secure ID type tokens, which are provided by small physical boxes.
Biometric authentication: no need for the password!
Biometrics is now gaining popularity because it makes it possible to authenticate a person, without a password, from his own data: nothing is easier than to authenticate on a Smartphone thanks to his fingerprint (such as that the Touch ID fingerprint sensor, for example) already offers!
There are 3 different kinds of methods based on biometrics:
- Biological analysis (smell, blood, saliva, DNA …);
- Behavioral analysis (each person has a unique way of signing, using a computer keyboard or moving a finger on the screen of a smartphone, walking …);
- And morphological analysis (fingerprint, iris analysis, facial or voice recognition, hand shape …)
To enable authentication of an individual, these techniques require that the characteristics collected be:
Universal (present in everyone),
Unique (that is, to indisputably differentiate 2 individuals),
Permutations (their evolution over time does not affect authentication),
Measurable (to allow comparison over time),
Some biometric methods may appear more reliable than others: for example, morphological analysis is less subject to change than behavioral analysis (which may be affected by stress). However, any method has its flaw, since a few years ago, a veteran hacker showed that it was easy to copy the iris of Angela Merkel using high-resolution photographs!
Authentication by QR Codes: unique encrypted images that replace passwords
This approach allows users of mobile applications, when they access a web portal or an application, to authenticate by scanning a QR Code using their Smartphone. By this action, they get an OTP that gives them secure access to the portal or application. The association between token and QR Codes makes it possible to replace the one-time passwords.
Strong or multiple authentications: several checks are better than one!
Strong authentication (also known as “two-factor authentication”) or multiple authentications (Multifactor) refers to a procedure that combines several authentication methods to verify the identity of the user: for example, information about what the user knows (password) and what he owns (a smartphone) or what he is (his fingerprint).
This double (or multiple) audits, particularly appreciated in critical areas such as the bank, complicates the task of a hacker who, even if he manages to overcome the first hurdle (the password), will not have arrived at end of his troubles.
Special case of strong authentication: the enrollment of a mobile terminal
Enrollment validates the registration of a device in the list of approved users of an application. When a user registers his terminal (during the enrollment procedure), he is authenticated and the contents/applications are made available according to the restrictions associated with his profile.
Enrollment takes place once and takes place in several stages, for example:
The user initiates the addition of his mobile terminal by identifying himself with his login and password on the application (or on a web portal, in some cases). The identification is verified and the application transmits to the server a unique identifier of the terminal, which identifier is associated with the login.
A secret code is then generated by the server and sent by a channel other than the Internet (mail, SMS) to the user. This can be a QR Code that must be scanned via the mobile device, or a password to enter to make the application usable.
Subsequently, this application can serve as a reliable base for receiving OTP passwords allowing the user to authenticate, in order to access ancillary services: the reliability of this approach lies in the fact that it is no longer necessary, once the enlistment is made, to pass passwords on the internet.
The current trend in authentication, it will be understood, is to multiply the layers of defenses to minimize the risks, but without harming the user experience. Mobile users want to access the information they want anytime and anywhere, but they are equally demanding when it comes to authentication: any innovative, non-intrusive and easy-to-implement authentication method that they will be able to use. Proposed, will seduce them immediately. Conversely, let us not forget that during a purchase tunnel (use where authentication is a mandatory and particularly sensitive pass), the more the security approaches are heavy, the greater the risk of abandonment of the basket is large. For all the latest trends, tech news, & reviews follow us on Instagram, Twitter, Facebook.
Article By Nancy Lamas