Users can authenticate through various methods, and it can be challenging for system designers and even cybersecurity professionals to know which methods they should support. This blog post aims to provide an in-depth understanding of different authentication methods and their pros and cons.
Lowest level: User-chosen secrets
These include bank PINs and website passwords. These secrets are easy for attackers to guess. Bank PINs are only safe because the banking industry has implemented sophisticated monitoring systems that make it difficult to move money without a trace. Some of these systems include transaction monitoring, which analyzes transaction patterns to detect anomalies, and multi-factor authentication that requires additional verification steps (e.g., biometrics or one-time codes) before authorizing a transaction. The financial industry also enforces Know Your Customer (KYC) regulations and utilizes technologies like SWIFT to track money flows. This makes it difficult for someone to steal funds from an account and receive them without getting caught, since being a member of SWIFT requires passing through a stringent identification process.
These protections don't exist for authentication to websites. You should only use user-chosen secrets on websites if they protect nothing of value, including the ability to impersonate you on that site.
Next level: User-chosen secrets supplemented with a random code
User-chosen secrets can be supplemented with a second factor that provides additional randomness. A popular option is TOTP, or Time-based One-Time Passcodes. TOTP requires users to install an app, such as Google Authenticator, which generates new codes at regular intervals based on a stored secret and the current time. TOTP codes can also be received via SMS or email.
These systems serve two purposes:
- Make it harder for an attacker to brute-force guess a user-chosen secret in an online attack. Even if an attacker successfully guesses the password, they need to guess the random code to find out if their guess was correct. This is a strong deterrent to brute-force guessing.
- Make it harder for an attacker to authenticate even when they have learned the user-chosen secret. They will still need to guess the random code and the authentication system is likely to lock them out if they make too many attempts.
However, these systems are still vulnerable to data breaches. The secret for these time-based codes, called a seed, is stored on the server. If your system is breached, you should expect an attacker to get both the TOTP seeds and the password hashes. If those passwords are user-chosen, many of them could be guessed.
Considerations for the second factor
TOTP codes can be generated by an app or received via SMS or email. SMS should be avoided due to the risk of hijacking through methods like SIM-swapping or social engineering. SIM-swapping involves an attacker convincing a mobile carrier to transfer your phone number to a new SIM card in their possession, while social engineering involves tricking customer support or other personnel into providing unauthorized access to your account. You can reduce these risks by using a system like Google Voice or setting a PIN with your mobile carrier, but you can't expect this of your users.
Email-based codes share similar risks as SMS-based codes, as they can also be hijacked through unauthorized access to the user's email account. This can happen by compromising the account password or exploiting other vulnerabilities in the email provider.
Apps are a good option because they can generate codes without going over the internet or phone networks. However, managing these apps can present difficulties. For example, while Google Authenticator is a reliable and popular choice for this, it only recently started to back up seeds. As a result, users would lose access to their accounts if they replaced or reset their phone. Managing the support process for TOTP apps will require IT resources from your organization, but avoids the risks associated with SMS or email-based codes.
Magic links
Magic links are an alternative authentication method in which users receive a login link via email after entering their email address on a website. When implemented correctly, magic links can be considerably stronger (harder to brute-force) than email-based 2FA codes, though just as convenient. However, they are still vulnerable in the event of a data breach, as they do not involve any secret held by the client.
Moreover, magic links rely solely on possession of an email address. Should an attacker manage to hijack the user's email account, they would gain access to magic links without needing to know any other secrets. That said, many account registration processes rely on email account security. This highlights the importance of educating users on the value of securing their email account.
Next level: Randomly-generated shared secrets
Even without a second factor, randomly-generated shared secrets can be considered a level above user-chosen secrets supplemented with a code. With the help of password managers, users can store a unique 20-character or longer random password for each website, making passwords much stronger.
If the password is sufficiently strong, this method is secure even in the event of a data breach. With a simple hashing algorithm like SHA-256, cracking a hashed, random 20-character string is currently very far from feasible. Current password storage guidance recommends even more intense hashing algorithms than SHA-256.1
A potential downside is vulnerability to keyloggers and eavesdropping on either end of the connection at the time of authentication. However, all of the authentication methods on this page are vulnerable to malware on the client or servers.
Highest level: Challenge-response using an asymmetric key
The most secure level includes certificate-based authentication and other methods that rely on asymmetric keys. These methods necessitate the storage of a certificate on a device since certificates are too large to be entered using a keyboard. Their size also contributes to their strength – they are virtually impossible to guess.
When stored in secure hardware, such as FIDO2 keys or the TPMs found in many modern computers and smartphones, these certificates are even resistant to data breaches. While malware could be used to impersonate the user as long as it remains on the client, it cannot transmit anything off the device that could be used once the malware is removed. The same is true on the server side. Even if your system is breached, the attacker will only obtain public keys, which cannot be used to impersonate a user once the attacker is evicted.
Cross-cutting security concerns
In addition to the strength levels of authentication methods, there are also cross-cutting security concerns that apply across different authentication systems. These concerns encompass aspects such as resistance to shoulder-surfing and phishing attacks. Let's explore some of these issues and how they can impact the overall security of an authentication system.
Resistance to shoulder-surfing
Shoulder-surfing is a security risk that occurs when someone observes you entering sensitive information. One modern example of this is entering a password on a smart TV while friends or family are watching. Another example is streamers who decide to purchase an upgrade while their stream is live. Most authentication systems are not designed to handle this type of interaction safely.
One potential solution could be a shoulder-surfing resistant challenge-response system, where users would enter specific characters from their password, such as characters 2, 3, 7, 9, and 15. For a 20-character password, the odds of getting the same challenge again would be 1 in 15,504. Systems like this were proposed in the 1990s and early 2000s, but no widely-used system like this currently exists. There are several drawbacks to such systems: passwords would have to be stored unhashed, users would still need a password manager to store their lengthy passwords, and the system leaks a significant amount of information with each authentication.
A convenient solution adopted by many smart TV apps is to authenticate using a code from a signed-in device. This method allows users to authenticate a device without revealing a secret.
Fingerprint scanners and FIDO2 keys can also offer resistance to shoulder-surfing since they provide secrets that do not need to be entered on a screen. FIDO2 keys are often used as a second factor alongside passwords, but they can also be used for "passwordless" authentication. Some newer models incorporate fingerprint scanners for added security, preventing the key from being used for passwordless authentication when stolen. However, I am not familiar with any smart TV platforms that can authenticate with a hardware device. TOTP codes and push notifications could also be used to authenticate in a shoulder-surfing resistant way, but again I have not seen any implementations of this in the wild.
As someone who has to shoo the kids out of the room everytime I enter a PIN on my smart TV, I think there is room for innovation in this area. For now, however, entering a code or responding to a push notification on a signed-in device seems to be the best current solution for mitigating shoulder-surfing risks.
Resistance to phishing
Phishing is one of the most popular methods by which attackers obtain credentials. For an authentication system
to be resistant to phishing, the client browser needs to identify the website domain2
and pass it along. Unlike humans, browsers can easily tell the difference between
amazon.com
and amazon.com.phishingsite.com.
PwdHash was an early attempt to resist phishing through use of a browser extension. The Stanford PwdHash project hashed passwords with the domain name, ensuring that the correct password would only be generated for the genuine domain. The concept behind PwdHash is simple: by combining the user's password with the site's domain, the generated hash is unique to that specific site. This means that even if a user is tricked into entering their password on a phishing site, the generated hash will be different, and the attacker will not have the correct credentials for the legitimate site.
Modern password managers also help resist phishing. They won't autofill credentials if the website is a phishing site because the domains won't match. FIDO2 keys operate similarly. They won't provide an authentication response to a phishing domain.
Magic links also offer resistance to phishing but through a different mechanism: users of magic links never enter a secret directly into a form on a website. Instead, they click a link sent to their email, reducing the risk of inadvertently providing sensitive information to phishing sites. This is a major benefit of magic links.
However, 2FA methods that provide a code, like TOTP, are not phishing resistant. Push notifications are also not phishing resistant, as a phishing site can trick a user into responding to a push notification. This could happen if a user is lured into a phishing site that mimics the legitimate site's login process, and the attacker triggers a push notification, making the user think it's part of the normal authentication procedure. Once the user approves the notification, the attacker can gain access to the user's account.
These are serious drawbacks of these systems. Resistance to phishing is crucial in authentication systems because phishing attacks are a common method for stealing credentials and gaining unauthorized access to user accounts. Ensuring that an authentication system can withstand phishing attempts helps protect users and maintain the security of their data. By understanding and adopting authentication methods that are resistant to phishing, organizations and users can significantly reduce the risk of falling victim to these types of attacks.
Final thoughts
FIDO2 keys are currently the best option for secure authentication, since they combine strong cryptography and phishing resistance. Their main drawbacks are their cost, compatibility issues with older devices, and the fact that users must maintain possession of the USB key to ensure security. All of the most secure authentication methods, however, require an additional device or software, such as a FIDO2 key or a password manager. The IT burden this creates must be considered when implementing these solutions, but we must also consider their security benefits as well.
It's worth noting that many 2FA methods are not phishing resistant, and SMS and emailed codes are also susceptible to eavesdropping. On the other hand, magic links offer phishing resistance, but they only test for possession of the email address, shifting security responsibility to the email provider.
Passkeys, a newer concept, utilize a TPM-backed FIDO2 protocol running on the user's smartphone. The smartphone communicates with the browser via Bluetooth, so it doesn't require a USB connection. Also known as multi-device FIDO keys, passkeys might provide a more usable means to gain the benefits of FIDO2.
By understanding the strengths and weaknesses of different authentication methods, you can make more informed decisions when designing and implementing authentication systems for your applications and services. Keep in mind that usability, ease of deployment, and the unique requirements and constraints of your organization, are essential factors to consider when adopting any system.
See the OWASP guidance on password storage for more information.
↩Technically, systems like FIDO2 use the origin (a tuple of the hostname, port number, scheme, and domain name) to identify the website. Since origin might be an unfamiliar term to some readers, I use the more common term domain instead.
↩