Abstract
An authentication process is a process of verifying an entity’s identity based on one or multiple factors. A factor can be something the entity is, possesses, or knows. Depending on the number of credentials (or factors) required, the authentication process is referred to as single-factor authentication, two-factor authentication, or multifactor authentication. In choosing a particular authentication solution for organizations, it is crucial to balance security, usability, cost, and privacy considerations. The authentication solution for a particular service can be predetermined for the private individual, although stronger authentication can be enabled if desired. While these trends suggest a more secure and user-friendly authentication process, they may also introduce new privacy concerns that must be addressed.
You have full access to this open access chapter, Download chapter PDF
1 Introduction
The purpose of authentication is to verify the identity of an entity. The number of factors required to authenticate an entity determines the type of authentication—single-factor, two-factor, or multi-factor. The section delves into the trends and advancements in the field of authentication, with a focus on security and usability. The section covers topics such as the current state of password security, the emergence of passwordless authentication, and the future potential of biometric authentication. The section also discusses current authentication trends, including adaptive and continuous authentication.
2 Analysis
2.1 Definition
An authentication process is a process of verifying an entity’s identity based on one or multiple factors [1]. A factor can be something the entity is (e.g., device fingerprinting for devices or biometrics such as a retina, face, or behavior for a person), possesses (e.g., a token or a bank or ID card), or knows (e.g., a password or algorithm) [2]. Sometimes a location factor is listed as a fourth category [3]: Location and/or time of the entity’s login, e.g. GPS coordinates, IP address, or cellular triangulation. An entity may be, for instance, a computer or smartphone or a user using such a device. Depending on the number of credentials (or factors) required, the authentication process is referred to as single-factor authentication (SFA), two-factor authentication (2FA), or multifactor authentication (MFA). Note that MFA includes two-factor authentication. Behavior can also be a factor in behavior-based authentication and continuous authentication systems.
2.2 Trends
Security Factors
Password security has inherent weaknesses [4], particularly sensitivity to social engineering (for example, phishing) and dictionary attacks. However, passwords remain the most popular authentication method worldwide, according to an Okta Inc. study conducted in 2021 [5]. According to this study, 5% of organizations worldwide use passwords as their primary security measure. Moreover, the password management market revenue is expected to increase from 1.25 billion U.S. dollars in 2020 to 3.07 billion U.S. dollars by 2025 [6].
Although the knowledge factor is still omnipresent, the opposite trend of passwordless authentication is emerging. Passwordless authentication eliminates the knowledge factor and relies on more substantial security factors such as ownership and biometrics. In 2020, the worldwide market revenue for passwordless authentication was approximately 10.3 billion U.S. dollars and was expected to reach 25.2 billion U.S. dollars by 2025 [7]. However, biometrics is often just an add-on for better usability, especially in the mobile domain. For example, Android and iPhones still rely on a pin or strong password in the background. A promising approach to passwordless authentication is the authentication standard FIDO2, which was developed by the FIDO alliance, an open industry association. FIDO2 is based on public key cryptography, stores credentials on a user’s device, and uses unique credentials for every website [8]. This makes it not only resistant to replay attacks and password theft but also against some phishing attacks [8], to which other forms of MFA are still susceptible. However, this does not prevent online-phishing attacks where the attacker is the proxy to the actual service.
With the surge of wearables and other IoT devices, biometric factors in the future as wearables could be the only workable solution. This might be problematic because these new devices will need a strong password. By 2027, the worldwide biometric authentication and identification market is expected to reach almost 100 billion U.S. dollars, up from 33 billion U.S. dollars in 2019 [9]. The significant barriers to large-scale use of passwordless authentication are considered to be legacy systems and applications: 61% of IT staff and 58% of IT security leaders worldwide in 2022 reported that legacy systems and applications did not support the technology as one of the main barriers to using passwordless [10].
Authentication Approaches
Current trends attempt to enhance security and usability. These include:
-
Adaptive authentication [11]: The authentication procedure in adaptive or risk-based authentication is determined by an entity’s context. Contextual factors, such as a device’s location or the data sensitivity a user requests, are considered during authentication. Following this, an authentication risk score is calculated, often utilizing machine-learning techniques. This risk score determines how many security measures are required. We are staying on top of security by using adaptive authentication when increasing usability. This approach was recommended in the NIST Digital Identity Guidelines from 2017 [12].
-
Continuous authentication [3]: During continuous or active authentication, the identity of an entity is recurrently verified based on patterns derived from continuous monitoring of the entity. This is achieved primarily by using behavioral or biometric factors such as keystroke patterns, mouse movements, or gait patterns (see also Real-time Biometric Authentication in Chap. 22). With this approach, impersonation attacks can be prevented more effectively than static authentication: the perpetrator must continuously mimic the entity’s behavior. Otherwise, they would be blocked when an untypical behavior is detected [13]. However, the continuous collection of biometric and behavioral data has raised concerns regarding privacy, which must be addressed.
-
Authentication technology for the approval of sensitive user actions: Authentication technology is commonly used to approve financial transactions: the transaction details are sent to the payer via an independent channel to be confirmed via a security factor, for example, via 3D Secure (see Chap. 32.1 for details). This can help secure transactions against the compromise of operating systems or browsers through malware. However, using authentication technology to approve sensitive user actions is not limited to financial transactions but can also be implemented, for example, for changing one’s online account details.
3 Consequences for Switzerland
According to a study conducted by ESET in 2022, most Swiss smartphone users use a PIN to access their smartphones [14], and Swiss people need to manage their passwords better. In the study, 12% of the participants used identical passwords for multiple accounts, but only 5.8% did so in Germany [15]. According to the study, 14% of Swiss participants always use 2FA for online services, which is in line with the recommendation by the Swiss National Cyber Security Centre to use MFA whenever possible [16]. In Germany, however, 27.8% reported always using two-factor authentication. This is still significantly less. Regarding biometric authentication, there seems to be a general interest and openness to this technology among the Swiss people: As of 2019, 85% of Swiss citizens indicated that fingerprint authentication was the most secure method for making credit card payments [17].
Also, authentication is generally well represented in research in Switzerland, e.g., at the Idiap Research Institute ([18], biometric authentication), IBM Zurich ([19] password cryptography). Also, this research has been successfully transferred, leading to spin-offs like Token2 Sàrl (University of Geneva) and Futurae Technologies AG (ETH Zurich).
3.1 Implementation Possibilities: Make or Buy
In choosing a particular authentication solution for organizations, it is crucial to balance security, usability, cost, and privacy considerations. The authentication solution for a particular service can be predetermined for the private individual, although stronger authentication can be enabled if desired. It can also increase security by purchasing additional solutions, such as a password manager or hardware security keys. The following are some considerations for the different security factors:
-
Knowledge factor: Passwords are still prevalent, so it is essential to maintain a secure password management system. A variety of commercial password managers can assist in breaking habits like reusing passwords or writing them down. There are also free options, such as open-source password managers, and numerous options integrated into many browsers and smartphones. According to Grauer and Klosowski [20] 1Password [21] is the best password manager, whereas Bitwarden [22] is the best free solution.
-
Ownership factor: There is an abundance of authenticator applications to choose from, including Authy [23], the Microsoft Authenticator [24], or Duo [25]. The Yubico Security Key series [26] and the Google Titan Security Key [27] can also be purchased as hardware tokens. It is essential to consider whether such devices meet industry standards such as FIDO2 and whether they are compatible with future trends such as passwordless authentication. In addition to hardware tokens, Swiss providers offer software tokens, including Swiss SafeLab, Token2 Sàrl, or Futurae Technologies AG.
-
Biometric factor: The sourcing of biometric authentication solutions can be challenging due to the highly specialized technology required. Furthermore, privacy regulations and data protection regulations need to be considered. One option to address privacy for biometric authentication is to store biometric data only on a user’s device instead of remotely on servers. For more privacy and information about commercial and open-source solutions, please see Chap. 22.
4 Conclusion
Though knowledge-based authentication has been known to have shortcomings, it remains the most popular method for entity authentication. The shortcomings are currently addressed through sophisticated password management and multifactor authentication. Nevertheless, concurrently with the increase in IoT devices and advances in machine learning, there is a trend towards passwordless authentication utilizing biometrics and new authentication approaches such as continuous and adaptive authentication. While these trends suggest a more secure and user-friendly authentication process, they may also introduce new privacy concerns that must be addressed in the future.
References
EbruCelikel Cankaya. Authentication. In Henk C. A. van Tilborg and Sushil Jajodia, editors, Encyclopedia of Cryptography and Security, pages 61–62. Springer US, Boston, MA, 2011.
Aleksandr Ometov, Sergey Bezzateev, Niko Mäkitalo, Sergey Andreev, Tommi Mikkonen, and Yevgeni Koucheryavy. Multi-factor authentication: A survey. Cryptography, 2(1):1, 2018. Publisher: MDPI.
Dipankar Dasgupta, Arunava Roy, and Abhijit Nag. Advances in User Authentication. Infosys Science Foundation Series. Springer International Publishing, Cham, 2017.
Passwords — Strengths and Weaknesses. https://www.garykessler.net/library/password.html.
Okta Inc. The State of Zero Trust Security 2021. Technical report, June 2021.
Justina Alexandra Sava. Password management market revenue worldwide in 2020 and 2027. https://www.statista.com/statistics/1300988/global-password-management-market-revenue/, June 2022. Statista.
Justina Alexandra Sava. Passwordless authentication global market size 2030. https://www.statista.com/statistics/1290586/passwordless-authentication-global-market-size/, August 2022. Statista.
FIDO Alliance. FIDO2. https://fidoalliance.org/fido2/, August 2022.
Justina Alexandra Sava. Biometric authentication and identification market revenue worldwide in 2019 and 2027. https://www.statista.com/statistics/1012215/worldwide-biometric-authentication-and-identification-market-value/, February 2022. Statista.
Justina Alexandra Sava. Main barriers to adopting passwordless authentication worldwide 2022. https://www.statista.com/statistics/1305837/global-barriers-to-adopting-passwordless-authentication/, May 2022. Statista.
Patricia Arias-Cabarcos, Christian Krupitzer, and Christian Becker. A survey on adaptive authentication. ACM Computing Surveys (CSUR), 52(4):1–30, 2019. Publisher: ACM New York, NY, USA.
P.A. Grassi, J. L. Fenton, E. M. Newton, R. A. Perlner, A. R. Regenscheid, W. E. Burr, and M. F. Therfanos. Nist special publication 800-63b. digital identity guidelines: authentication and lifecycle management. Technical report, NIST, 2017.
Lorena Gonzalez-Manzano, Jose M. De Fuentes, and Arturo Ribagorda. Leveraging User-related Internet of Things for Continuous Authentication: A Survey. ACM Computing Surveys, 52(3):1–38, May 2020.
Studie: Die Schweizer Bevölkerung verwaltet ihre digitalen Zugänge und Passwörter ziemlich schlecht.
ESET. Deutschland holt auf: Passwort wird für Online-Nutzer zum alten Eisen. https://www.eset.com/de/about/presse/pressemitteilungen/pressemitteilungen/deutschland-holt-auf-passwort-wird-fuer-online-nutzer-zum-alten-eisen-2/, August 2022.
National Cyber Security Centre NCSC. Protect your accounts. https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-private/aktuelle-themen/schuetzen-sie-ihre-konten.html, February 2021.
Visa Studie: Biometrische Authentifizierungsmethoden werden bei Schweizer Karteninhabern immer beliebter.
idiap Research Institute. Biometrics Security & Privacy. https://www.idiap.ch:/en/scientific-research/biometrics-security-and-privacy/index_html, August 2022.
Jan Camenisch, Anja Lehmann, Gregory Neven, and Kai Samelin. Virtual smart cards: How to sign with a password and a server. In International Conference on Security and Cryptography for Networks, pages 353–371. Springer, 2016.
Yael Grauer and Thorin Klosowski. The Best Security Key for Multi-Factor Authentication. July 2022. The New York Times.
1Password. 1Password. https://1password.com/, August 2022.
Bitwarden. Bitwarden Open Source Password Manager. https://bitwarden.com/, August 2022.
Twilio Authy. Authy | Two-factor Authentication (2FA) App & Guides. https://authy.com/, August 2022.
Microsoft. Microsoft authenticator. https://www.microsoft.com/en/security/mobile-authenticator-app?rtc=1, August 2022.
Cisco. Duo. https://duo.com/product/multi-factor-authentication-mfa/duo-mobile-app, August 2022.
Yubico. Yubico | YubiKey Strong Two Factor Authentication. https://www.yubico.com/, August 2022.
Titan Security Key - FIDO U2F USB-C NFC Bluetooth - Google Store. https://store.google.com/us/product/titan_security_key?hl=en-US, August.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2023 The Author(s)
About this chapter
Cite this chapter
Müller, B. (2023). Authentication. In: Mulder, V., Mermoud, A., Lenders, V., Tellenbach, B. (eds) Trends in Data Protection and Encryption Technologies . Springer, Cham. https://doi.org/10.1007/978-3-031-33386-6_29
Download citation
DOI: https://doi.org/10.1007/978-3-031-33386-6_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33385-9
Online ISBN: 978-3-031-33386-6
eBook Packages: Computer ScienceComputer Science (R0)