Alán Alcoverro Dec 4, 2019 11 min read

Review of the main authentication mechanisms used

Technology is advancing at a rapid pace. This not only favors the development of new products that facilitate users’ lives but also becomes a new vector of attack for bad actors, who see fresh opportunities to obtain economic gain.

This is why companies invest in online security measures to reduce attacks, protect their customers and their brand image.

Among the security measures currently in favor for accessing online services or authorizing other actions is two-step user authentication techniques when within them.

Two-step authentication provides the user with an additional step, to demonstrate they are indeed a customer attempting to perform a certain action, and not an attacker. In addition to providing their ID and password, in this system the user is required to go through a second authentication step to eliminate possible account takeover fraud.


In addition, today there are numerous directives worldwide that aim to regulate this type of authentication, especially in the financial and online commerce sector.

These directives include PSD2, the European directive that regulates the payment services provided for any online service that includes payment activities within Europe.

This directive puts special emphasis on security, requesting the strengthening of and compliance with certain security features for payment authentication, known as “Strong Customer Authentication”. This authentication also consists of a two-step authentication that we discussed in one of our past posts.

Until implementation of PSD2 is completed throughout the financial and electronic commerce sector, as its application has been delayed to December 31, 2020, in this post we review the most common 2-step authentication methods used not only at the European level but globally.


SMS authentication

This is the most commonly used two-step authentication method. Virtually all the services that apply a two-step verification mechanism use SMS authentication. This system consists of sending a single-use alphanumeric code via a text message, which the user must enter into the system during the login.

Although it is the most commonly used mechanism, it is not the safest or the simplest. And considering the rise of malware for mobile devices, it is among the worst in terms of security. On an infected device, the malicious application will have access to any SMS received and can forward it to the attacker's control server.

In terms of usability, the process of entering the code on a mobile device can be very tedious for users if they are simultaneously looking at the SMS message and their login screen.

This technique also incurs a cost for the entities that decide to use it, since sending text messages in order to implement the system involves a cost.


Authentication using OATH TOTP applications

This technology makes use of third-party applications to authenticate the user. The technology is known as OATH TOTP, and it functions in a way very similar to the technique of sending codes by SMS. However, in this case, the user uses an application such as Google Authenticator, LastPass Authenticator, or Latch to generate a temporary authentication code.


OTP authentication systems can use different methods to generate the final password that will be provided to the user. Examples are event-based authentication, time-based authentication, or a challenge-response authentication method.

The main advantage of this approach is its low cost, in addition to the level of security, it offers in terms of robustness and reliability. Plus, they pose minimal customer experience issues outside of installing the verification application.


Authentication based on biometric factors

This is a favorite among users, as it is one of the most comfortable in terms of usability as well as being one of the safest. There are different types of biometric authentication. Facial and fingerprint recognition are the most commonly used, although we can also find solutions that use the iris or physiognomy.

Its popularity has been increasing in recent years and is expected to increase even more overcoming ones.

This is due to the ease with which the user can access this type of technology and how easy it is to use. In the case of fingerprint recognition all the user has to do is place his or her finger on their mobile's reader.

On the other hand, we can find problems in the implementation of these mechanisms. If the system implementation is not robust enough, an attacker could use simple tricks to authorize the authentication. For example, they could use a photo of the victim in the case of a facial recognition system.


In addition to the use of physical biometric factors to authenticate the user during login, there is also the possibility of providing security through a behavioral biometrics analysis able to identify a user silently (without impacting their user experience), analyzing the way they type, move the mouse, hold their mobile phone, their movements within an application or website, pressure, latency, response speed, and many others.

This analysis makes it possible to detect if it is really the legitimate user or if, on the contrary, it is an attacker who has managed to fraudulently access the user's account.


Other methods being phased out

In addition to the authentication factors introduced above, we find others that are gradually being replaced with new mechanisms including; coordinate cards, phone calls, hardware tokens in calculator or USB mode, etc.


Looking forward: continuous behavioral biometric analysis

In recent years, large online services companies have opted for biometric authentication, taking advantage of all of the physical biometrics readers incorporated into smartphones. This fact allows us to predict a bright future for this type of authentication, which in addition to being quite good in terms of security is also good in terms of user experience.


However, these methods begin to coexist with new techniques such as the analysis of biometric behavior, which is even less intrusive in the user experience and also provides an element of continuous authentication.

This means the user’s identity is not only verified when they use their fingerprint or face for authentication (static authentication) but throughout the user's session when using any online service, which provides a higher level of protection to prevent account takeover attacks.

At Revelock we are committed to behavioral biometric technology to enable continuous user verification. We develop solutions that make it possible to detect if a user is being impersonated or manipulated during an entire online session utilizing behavioral biometric data analyzed with a hybrid AI system to prevent account takeover attacks.

If you would like to know more about our technology, please contact us.


Alán Alcoverro

Alán is a Solutions Architect at Revelock. With over 12 years of professional experience acting as a Solutions Engineer / PreSales in companies such as IBM, SCC, Allot Communications and Riverbed, he owns a transversal and integrated view of the IT world and all the digital challenges this implies for any company size, being Cybersecurity his main focus along the way. He is the main contact person for all technical items related with our Revelock online fraud prevention solution, for both current and future customers, generating at the same time new business opportunities within the EMEA region whilst offering highly efficient solutions for all challenges we face every single day related with cybercrime.