Which authentication method(s) should your app use, and which you must avoid

May 22, 2019
5 minutes read
Category: Security
Author: The IPification Team

According to a research by Statista, an average smartphone user spends more than 5 hours per day using it to communicate, stream videos, listen to music, play games... as well as for making online transactions.

And, with almost 5 billion people using smartphones daily, OTTs, service providers, and application developers have a very big challenge to secure the identity and personal data of their users.

To do it, they rely on using different authentication methods, some of which have been around for decades and are very much obsolete, although still used. And some that are emerging, bringing in improvements but also new sets of challenges.

So, how can service providers choose? Can they rely on only one of them, or do they have to combine several into an MFA solution?

Watch a video in which Harry Cheung, IPification Founder and President, and Stefan Kostić, IPification CEO, explain the strengths and weaknesses of most prominent authentication methods of past, present and future.

Email and password combination

Ever since ancient times, passwords were used as a simple way to protect information. And for over 50 years we have been using them to access computers, IT systems, devices, and online services.

Passwords, as we know them today, were introduced at the Massachusetts Institute of Technology (MIT) in 1960, but the system was hacked only a year after it was established - making passwords insecure from the very beginning.

And that hasn’t changed since. We have been pushed to use stronger passwords, to make them unique, not re-use them, and change them frequently, but still, email and password combination remained insecure.

Most of the passwords people use are simple and generic nowadays - too often based on information that is easily accessible through social engineering. Even worse, some still use passwords like  “admin” and “password” that the state of California will declare illegal from 2020 - because they are the reason why many cyber attacks spread more quickly.

This is why many service providers are pulling away from using passwords. Many organizations predict they will soon become password-less and PSD2 may even bring on the death of passwords.

SMS two-factor authentication

Two-factor authentication via SMS is an outdated authentication system, with lousy security, privacy and user experience. It was considered as an enhanced security method for a long time, but that is no longer the case.

Aside from the fact that a lot of the time you don't even receive the SMS you requested, the SMS OTP can be compromised. Every message or call has to go through the Signalling System No. 7 (SS7 for short). It is a set of protocols that allow phone networks to exchange the information needed for passing calls and text messages between each other and to ensure correct billing.

Once a hacker has access to the SS7 system, he gains access to the same information and capabilities that security services have. This means that SMS messages with one-time passwords can easily be exploited - the message can be intercepted and rerouted. Or the attacker can use the OTP to log into an account instead of a user and take it over! As has happened to Reddit’s admins last summer.

Also, you need to give away your phone number for this method to work, and that’s already too much private information that can be easily abused - just like Facebook has been doing.

Third-party Authentication Applications

Another option is using third-party applications for authentication. And there’s no shortage of them.

For accessing their services, Google uses its own Authenticator app that is based on a two-step verification service with time-based one-time passwords. Other companies like Microsoft and Zoho, have similar apps in place. But most services going in this direction, do not create their own apps but integrate services like LastPass or 1Password (which also provide password management options to users).

However, these apps provide good security, as long as the user is holding the device. And on the user experience side, they are just terrible. Users need to switch apps to be able to get the code, and then come back to enter it, so most will not do it and will opt for lower security settings.

Header Enrichment

Authentication based on header enrichment - the process of adding data to the HTTP header, is very insecure, but it is still widely used because it offers excellent user experience. When it comes to mobile networks and user authentication, it uses data that identifies both the user and the device - with information like IMEI, IMSI or MSISDN added to the, now enriched, HTTP header.

This method is very smooth, but because it is based on the plaintext HTTP protocol data shared in the header is human readable, while the method itself is susceptible to the man-in-the-middle attacks, making it fail on the security side of things.

This makes all other features of the apps relying on it very insecure. Just imagine what can happen if an m-banking app would use it for authentication, and there was a successful attack! Luckily for users - both Google and Apple are working on removing apps that do not use secure protocols.

Biometric Authentication

With the rising trend of using biometrics for unlocking smartphones, chances are great that you have seen or even tried fingerprint and facial recognition authentication methods.

Biometric authentication is the process of identity verification using a unique physical characteristic of a person. The user provides their biometric data that will be compared with the given input for each authentication. This method is created to be secure, and it is - as long as it works properly.

It works great in many instances but comes with its own challenges, which can lead to serious consequences.

Because it is impossible for two scans of the same biometric data to be identical due to various outside factors (ie. sweat), verification can be successful if the data is nearly identical. And this makes for curious situations when family members have similar enough biometric characteristics…

Sometimes even a printed 2D photo of a person’s face can be enough, while fingerprints can be spoofed. A criminal only needs a high-quality print that has enough specific patterns to unlock a particular device. And once a fingerprint is stolen - it can never again be used for authentication...

And although user experience is good, biometrics also fail on the privacy side. Not everyone is willing to use their personal physical characteristics for authentication, and help create biometric data DBs that can potentially be abused.

Blockchain Authentication

Blockchain’s main attributes include that it’s anonymous, untrackable and decentralized, which makes it a great option for managing digital identities. From a theoretical perspective, it should provide a very good solution for authentication, but it is still not a good method yet.

What attracts users to use blockchain is the promise of anonymity. In cryptocurrency transactions, it is a tool that allows people to make transfers without having to know anything about each other and without relying on any type of centralized authority.

But, many of these transactions can actually be tracked. The data is encrypted, but it can be decoded or at least tracked back to the individuals initiating transactions. And since the blockchain ledger is public by default, this raises some privacy concerns as well.

Also, in case someone steals your private key - the only connection to the digital identity stored in a blockchain - you might be left without it and with any assets connected to it!

So… what to choose

Mobile-based authentication is becoming the gatekeeper of a user's identity. Relying on the technology capabilities of mobile network operators around the world. But what authentication method should be used…

As seen above, some are just plain bad, some can be a part of the broader authentication and security implementation, and some are not near a useful implementation.

At IPification we did not make any compromise between user experience, security, and privacy.

We developed it to enable service providers to rely on a secure authentication which does not share any user personal data and provides a seamless user experience.

Our authentication solution can be used as a single login factor as an email/password replacement, but also as one of the factors in a 2FA/MFA approaches. And can be activated by a single tap or launched in the background, without any user interaction.