User Authentication is an important part of securing applications and computer systems. It is basically a security check that confirms who a user is before allowing them to access a system.
We can find one or more forms of user authentication in common applications and computer systems that we use every day. For example, user authentication systems in a network, web or mobile application, and devices like phones and personal computers.
There are different types of user authentication methods commonly used today. Each method has its own strengths, weaknesses, and impact on the user experience in the systems they secure.
In this post, we will discuss the top three (3) types of user authentication methods used to secure modern applications. At the end of the post, you should be able to determine which type of user authentication method is best for your use case.
In order to understand the different types of user authentication methods, let us first take a look at the common categories authentication methods can fall under.
Top Categories of User Authentication Methods
1. Password-based Authentication
This type of user authentication depends on the user to present credentials (usually a username and password). The password-based authentication method uses a “something you know” factor.
The username can be a unique set of characters such as the user’s email address, phone number, or nickname. The password on the other hand is another set of characters that should be hard to guess, and the user must not disclose it to others. Users define their username and password when creating their account. Some systems may allow users to change their passwords (and usernames, in rare instances) later should the need arise.
Password-based authentication is the most commonly used method today and most of the popular applications and devices we interact with daily still incorporate password-based authentication as the main way for verifying who a user is. For example, we still use text-based passwords to log in to our computers, smartphones, and social media sites like Facebook, and X.
1.1 Strengths of Password-based Authentication
The following are some strengths of a password-based authentication system:
Easy to set up and use: Password-based authentication systems such as the popular username and password login system found on social media sites are one of the easiest user authentication systems to set up. Usually, it does not require any additional infrastructure, or hardware on the part of the administrator or user.
It is tested and trusted: Password-based authentication is one of the oldest authentication methods and has been used since the earliest days of computing. As a result, it has been tested, and reviewed and many best practices for users and administrators to follow are available.
1.2 Weaknesses of Password-based Authentication
Vulnerability to Brute-Force Attacks: Attackers can use password generation tools to try thousands or even millions of passwords until they gain access to users' accounts on the target application or device. Implementing a password retry limit and using stronger passwords can reduce the risk of this type of attack.
Use of weak or guessable passwords: Users may set passwords that are weak and easy to guess because such passwords are easier for them to remember. For example “123456”, “password”, and date of birth. Using a weak password makes it easier for attackers to gain access to a user’s account. Setting a minimum password requirement that prevents users from setting weak passwords can reduce this problem.
Password reuse: Many users use the same passwords on multiple platforms and websites. Once such passwords are leaked due to a data breach on any of the platforms where they’re using the password, it leaves their account on other platforms vulnerable to attack.
Social Engineering Attacks: This type of attack involves tricking a user into giving out their username and password to malicious persons. A common example of this attack is phishing, which may involve the attacker presenting a fake login page where unsuspecting users will enter their username and password.
1.3 Examples of Password-based Authentication
The following are common examples of implementations of password-based authentication:
- Email and password login to an online account.
- Phone number and password login.
- Unique user ID (or username) and password login.
- Password / PIN login to devices like mobile phones and computers.
2. Knowledge-based Authentication
Knowledge here can be seen as something that we are aware of due to experience, reasoning, or learning. Hence this type of authentication requires the user to present that they are aware of in order to grant them access to a system. For example, the user may be required to answer a security question previously set by them, e.g. “What is your mother’s maiden name?”
Knowledge-based authentication can either be static (the user sets a security question and answer) or dynamic. In dynamic knowledge-based authentication, the system picks random questions based on the user’s records or transaction history. As a result, it is harder for an attacker to guess or find the answer online.
Knowledge-based authentication can be used as an additional level of security to password-based authentication. It is also used for recovering an account when a user forgets their password.
2.1 Strengths of Knowledge-based Authentication
The following are some strengths of a knowledge-based authentication:
Easy to use: Knowledge-based authentication is easy to use. In the static type, users are only required to select a security question and set the answer to the question. In the dynamic type, the authentic user is very likely to know the answer to the random question as it is usually based on their records and history of activities or transactions.
Providers additional level of security: In addition to providing a username and password, answering a security question can add extra security where a password may have been compromised.
2.2 Weaknesses of Knowledge-based Authentication
Predictable answers: Static security questions are usually based on personal details such as a user's favorite color, the name of their pet, birth town, etc. Attackers may find such details on social media or through social engineering.
It is Phisable: It is very easy for an attacker to gain access to the answer to a static security question by tricking a user into entering personal information on a phishing website.
Increase possibility of lockout: Users may forget the answers to the static security questions they set. In a case where this is the last option they have to recover their accounts, they may be locked out forever.
2.3 Examples of Knowledge-based Authentication
Examples of Knowlege-based authentication include:
- Static security questions.
- Dynamic knowledge-based authentication.
3. Possession-based Authentication
A possession-based authentication system relies on something the user has with them. A user is granted access to the system after they present something they have in their possession such as an access card, security token (hardware), or an authorized device that they can retrieve a One-Time Password (OTP) from. This type of authentication depends on the “something you have” authentication factor.
Many modern applications use one of the forms of possession-based authentication methods to implement an additional level of security in addition to password-based authentication. An example is GitHub. Their implementation requires the user to retrieve a Time-based One-Time Password (TOTP) from an authenticator app like Google Authenticator.
3.1 Strengths of Possession-based Authentication
Improve security: Possession-based authentication can improve the overall security of an application when used with other authentication methods. For example, if an attacker gains access to the password of a user in a phishing attack, the system will still require them to be in possession of the access card, security token, or authorized device that is linked to the user’s account.
Reduce the need to remember passwords: A user may not need to remember any passwords if a system provides an option to authenticate with only a possession authentication factor.
Great for implementing 2FA: A possession-based authentication method can be used with another authentication method (e.g. password-based authentication) to create a two-factor authentication (2FA). As a result, adding an extra layer of security when one factor is compromised (e.g. password is leaked).
3.2 Weaknesses of Possession-based Authentication
Harder to set up and use: Unlike password-based authentication, possession-based authentication may require additional infrastructure, hardware, and software to set up. The user is also required to have additional hardware or application in order to complete authentication.
Devices can be compromised: An attacker may gain access to the device used for authentication by means of malware or hacking. In this case, they can have access to authentication keys such as OTPs and gain unauthorized access.
Vulnerability to phishing attacks and social engineering: Attackers can still trick unsuspecting users to approve authentication requests. For example, attackers sometimes trick users into giving out OTPs via phone calls or on a phishing website.
3.3 Examples of Possession-based Authentication
Examples of possession-based authentication include:
- Hardware token: This is a physical device that the user possesses and can be used to generate tokens (code) that they can use to authenticate themselves.
- One-time Password (OTP): An OTP is a set of keys generated for one-time use when accessing a system. They can be sent to the user via text message (SMS) or email.
- Time-based One-Time Password (TOTP): TOTP uses a special algorithm to generate a unique one-time use password. The algorithm uses the current time and a secret key that is shared between a user’s device and the service they are trying to access. A service may have its own app for users to retrieve the one-time password every time they need to log in. Or users can use a popular authenticator app like Google Authenticator.
4. Biometric Authentication
Biometric authentication is a type of authentication that is becoming more popular recently. It uses a user’s unique biological or behavioral characteristics to verify their identity. This form of authentication is considered more secure than knowledge-based authentication. Biometric authentication uses the ”Something you are” authentication factor.
The common types of biometric authentication found in applications and devices include the use of a user’s fingerprint and facial recognition. You can find these implementations on nearly every smartphone and some high-end computers.
4.1 Strengths of Biometric Authentication
Offers more security: Biometric attributes such as fingerprint and facial recognition characteristics are more difficult to steal compared to text-based passwords.
More convenient: Biometric authentication makes authentication easier for users, as using their fingerprint or facial scan to log in is easier than remembering passwords.
4.2 Weaknesses of Biometric Authentication
Expensive to set up: Setting up biometric authentication usually involves the use of additional hardware, software, and other infrastructure. As a result, the overall cost of setting up user authentication may go up. Even on the end user’s side, they may need to purchase additional hardware, a computer or smartphone that has built-in fingerprint and facial scanning features.
Theft of biometric data: Although it is harder for hackers to gain access to biometric data when compared to text-based passwords, it is not 100% impossible. Hence it is important to store biometric data securely and follow best practices. It is also, possible for hackers to use replica biometric data to fool the authentication system.
Privacy issues: Many users are concerned about the impact of having their unique biometric data stored on a company or government’s system. Some of these concerns are about how the data might be used and the danger associated with a possible data breach.
False positives and rejection: Fingerprint scanners can fail to recognize the fingerprint of an authentic user due to dirt or moisture on the finger or scanner. Facial recognition systems can also fail due to poor lighting in the user’s surroundings or changes in the person’s appearance.
Accessibility issues: People with disabilities may not be able to use some forms of biometric authentication such as fingerprints or facial recognition.
4.3 Examples of Biometric Authentication
Examples of biometric authentication include:
- Fingerprint unlock on smartphones and computers.
- Face unlock on smartphones and computers.
- Sign-in with biometrics in mobile and desktop applications.
Top 3 Types of User Authentication
Based on the categories of user authentication methods we’ve covered, the following are the top 3 types of user authentication you’ll find on devices and applications today.
1. Password-based User Authentication
The first type of user authentication on our top 3 list is password-based user authentication. This type of authentication system can be found on most web and mobile applications today. It is easy to implement and end-users are already familiar with it.
Although it has the weaknesses we discussed earlier, encrypting and storing passwords securely, enforcing strong password requirements, educating users about how to keep their passwords safe, and combining this type of authentication with other methods can improve security. You can also use an authentication-as-a-service solution like Authgear to implement more secure password-based user authentication.
2. One-time Password (OTP)
One-time Password or OTP is commonly used as a second factor for authentication. For example, it is used as an additional authentication to a password-based authentication where it can prevent an attacker from accessing a user’s account even when they gain access to the user’s password.
OTP is usually sent to a user via text message (SMS) or email. As a result, to use this type of authentication, your application must implement the necessary services for sending the OTP. Using Authgear, you can add OTP authentication to your application in a few simple steps without building your own service from the ground up.
3. Biometric Authentication
Biometric user authentication allows a user to log in to your application using just their fingerprint or facial scan. This time of authentication is becoming very common in mobile applications today as most smartphones now come with a built-in fingerprint and facial scanner.
A major concern about biometric authentication is privacy, and to deal with this concern, both Android and iOS (the top 2 most used smartphone operating systems) securely store the user’s biometric data on the user’s device and third-party applications do not need to access the actual biometric data before they can allow users sign-in to their applications using biometric.
Biometric authentication or biometric login is very convenient for users as it removes the need for them to remember any passwords. If you wish to add biometric login to your application so that your users can enjoy its benefits, you can either use the official API for each platform your application will be on, or try the Biometric Login feature of a service like Authgear.
Conclusion
We have come to the end of this article on the top 3 types of user authentication. If you came here looking for an answer to “Which user authentication method is the overall best?” Our simple answer will be multi-factor authentication.
Multi-factor authentication means combining two or more authentication methods to add multiple layers of security.
Also, the best method for your specific use case may depend on different things like the platform your application will run on, the hardware available to users and what is at stake. For example, in most financial applications, a combination of password-based authentication and one possession-based authentication method (usually OTP), or biometric authentication is used. This is to ensure that in case the user’s password is compromised, the person logging in needs to show that they are the user by presenting something the user has in their possession (OTP) or something they inherit (biometric).
If you’re looking for a secure user authentication solution for your organization with minimum stress of configuration and development, we recommend you try Authgear for free.
