Guide to authenticator types
This guide describes various authenticator types and provides examples and considerations for their use. It does not prescribe the use of any specific authenticator. Requirements for authenticators will be developed following the consultation period.
What do you think about the Guide to authenticator types?
The Guide to authenticator types is currently undergoing a consultation process. Your feedback is sought on this guide and the terminology it uses. In particular:
- completeness — are all current and foreseeable authenticator types covered?
- the text — do you have any comments on how the guide’s content could be improved?
- terms — have terms been defined sufficiently?
Authentication and authenticators
Authentication is a process by which a person, who has already enrolled with a service or organisation, is subsequently recognised on their return without having to fully repeat the enrolment process.
Authenticators are mechanisms used within an authentication process. They are things known and/or possessed and controlled by an entity that they use to be recognised when they return to a service or organisation.
During an authentication process a person is challenged to respond to 1 or more of 3 types of authenticator:
- something you know
- something you have
- something you are.
Each of these authenticator types are known as an authentication factor.
Multi-factor authentication (MFA) is when 2 or more of these factors are required at the same time.
Something you know
‘Something you know’-type authenticators are challenges based on information or patterns that you know or need to remember. Common examples are memorised secrets (such as a personal identification number (PIN) and passwords) but also include swipe patterns such as those used to unlock mobile phones.
A memorised secret is a secret value that is intended to be chosen by and memorable to a person. Memorised secrets are generally made of letters, words and/or numbers but other options that use pictures or patterns also exist.
Personal Identification Numbers (PINs), passwords, pass phrases, combinations (as used in combination locks) and pattern locks (swipe and picture based).
Memorised secrets are a common type of authenticator, however they’re often:
- forgotten, increasing administration costs
- shared with other people, inadvertently or deliberately
- written down
- guessed or surmised
- discovered by trying many possibilities or combinations.
A memorised secret obtained by another person does not stop the secret’s owner from continuing to use it. Therefore, unauthorised use may not be detected and could continue until the secret is changed.
Authentication processes that use memorised secrets are easy to deploy, as special equipment or software is not required.
Information (usually personal) assumed to be unknown by anyone other than the correct person and the challenger.
Pre-registered security questions (for example, name of first pet) or knowledge-based questions from information held (for example, last purchase made).
A person pre-registers several secret categories of thing — such as dogs, cars, boats and flowers. Each time they log into the website they are presented with a randomly generated grid of images with alphanumeric characters overlaid on it. The person looks for the pictures that fit their pre-chosen categories and enters the associated alphanumeric characters to form a single-use access code. This is a rare example of a shared secret.
The amount of information available that is either not public or not so obscure the customer does not know the answer can be limited.
Unchangeable information (for example, mother’s maiden name) loses value when it becomes known.
Information that changes over time (for example, credit card limit, last transaction, pet’s name, favourite movie) is more difficult to remember.
The value of such information as an authenticator is degraded as more organisations collect it.
The information can often be easily discovered by an attacker through research or observation.
One-time passwords (OTPs)
One-time passwords are not strictly something that is known. They are generally part of a response step to a challenge against something a person possesses. Each password can only be used once and is distinct from any other password. This prevents some forms of identity theft by making sure a password cannot be used a second time.
Typically, the one-time password is used in conjunction with a user name and static password, and the one-time password changes with each logon. See:
Repeated or simple pattern passwords that allow access to a service during initial setup or after resetting, potentially to factory defaults.
A person is provided with an initial password (a one-time password), such as ‘Tuesday10’ or ‘Summer5’, on first-time registration or later as a password reset. Once the person has accessed the service for the first time they are prompted to change the initial password.
Where organisations use simple and/or repeated patterns as the initial password they leave themselves open to hackers should a username be known, or guessed, for example, where email address is used as the username. The window of opportunity exists between the creation of the user name up until the user changes their password.
Something you have
‘Something you have’-type authenticators are challenges that test you are in possession of a unique physical object, such as a bank or access card or mobile phone. The test can be on the physical presence of the object itself, or a code or identifier that is linked to the object, such as a code sent by short message service (SMS) to a mobile device, or a code displayed on a hardware token.
Document or card
A physical document or card, often also containing information related to a person. They may include security features to reduce the likelihood it could be tampered with or reproduced.
An access card, membership card, licence, or passport.
Without some other aspect to them (for example, an image of the holder or PIN), they can easily be used by a person other than the owner.
A lack of security features and/or the variety of documents and cards make it difficult for reliable detection of genuine items, without specialist training and scanning mechanisms.
Documents and cards often contain additional information not required for the purpose of authentication.
Like a document or card, it is now common for the possessed item to be a device.
Physical presentation of a mobile phone, RFID or NFC device.
Online interactions that can recognise the MAC address of a computer or mobile phone that has already been established as belonging to the owner.
Without some other aspect to them (for example, an image of the holder or PIN), they can easily be used by a person other than the owner.
Without additional security features it is possible for a copy to be presented.
A look-up code authenticator is a set of codes shared between the person and the challenger. The codes can be stored physically or electronically. A person uses the authenticator to look up the appropriate code needed to respond to a prompt from the challenger. Look-up codes are a type of OTP.
A person is provided with a grid card made up of letters and numbers in rows and columns. On challenge they are given a grid reference and reply with a specific value from the card (sometimes called a ‘bingo’ or ‘battleship’ card) in table format.
A person is issued a list of codes, each one can only be used once. Each time the person authenticates they use the next item on the list.
Challengers need to install compatible open source/standards based or proprietary software including the capability to manage grid-based mechanisms. For physical cards, secure processes are required to administer distribution, enrolment, replacement and deactivation.
Physical records have the same problems as written-down passwords — they may be copied or discovered and used without the person’s knowledge. Loss of the set of codes is equivalent to the loss of a memorised secret.
Some types of look-up codes need to be re-issued on a regular basis, especially if the codes are used frequently.
One-time code generators
A one-time code generator uses an obscured initial value on which a complex mathematical formula generates subsequent values on a device at either intervals (time-based) or on request (event-based). One-time code generators can be held on either a dedicated device (hardware token) or as software (software token) implemented on a non-dedicated device such as a mobile phone.
During authentication a person is challenged to show they maintain possession and control of the device by returning the current code to the challenger. Returning the code can include manually entering a displayed code, some other means of transmission from a dedicated device, or by directly or indirectly using the software involved in the authentication process on a non-dedicated device.
A person has a dedicated device (hardware token) that displays (potentially on the push of a button) a code that changes every 30 seconds, which must be entered into a field in addition to a username and password.
A person has a dedicated USB key that they insert into their computer. When a button is pushed on the key, an OTP is passed following the entry of a username and password.
Challengers need to install compatible open source/standards based or proprietary software including the capability to manage the cryptographic keys. For hardware tokens, secure processes are required to administer distribution, enrolment, replacement (especially for devices with an internal battery) and deactivation.
These are considered secure because they do not transmit data over a network.
A lost or broken hardware token could reduce the ability of a person to authenticate until it can be replaced. If stolen it is noticeable and action can be taken.
The devices can be shared, however unlike shared secrets, the legitimate owner gives up their ability to authenticate, which can act as a deterrent to sharing.
One-time code receivers
A one-time code receiver is a device that is uniquely addressable. The challenger can communicate securely with it by sending a code over a particular communications channel. The code is used via an authentication challenge to prove a person’s possession and control of the previously enrolled device.
The one-time code can be transmitted via a variety of communications channels, including SMS, a mobile app alert, an email, or automated voice call-back. The received code can be displayed on a device, read by the user or heard by the user. It can then be manually entered by the user, or directly or indirectly used by the software involved in the authentication process on a non-dedicated device. The one-time codes received typically have an expiry period.
During an authenticated online session, a one-time code is sent from the challenger to a previously registered mobile phone using the text SMS. The code is entered into the online session in order to complete the authentication process.
During an authentication, the challenger triggers an app alert to the user’s registered mobile application that is then used in this session.
A one-time password (for example, barcode or QR code) is displayed in the primary channel by the authentication process. This is then transferred to an out-of-band device for transmission to the challenger via a secondary channel.
The ability to use a particular communications channel is dependent on the person being able to access that channel option during the authentication session.
There will be advantages and disadvantages with any type of communication channel. There are also aspects to consider when the one-time code channel is distinct or not distinct from the authentication channel.
The design of some communication channels increases the likelihood of code interception (for example, store and forward design of email versus direct control of in-app alerts).
Some one-time code receivers (for example, smart phone or email inbox) may be shared by other parties.
The challenger needs to have the capability to initially enrol the channel and device, and manage subsequent changes and deactivation.
A procedure to authenticate by detecting presence at a distinct location.
A document that can only be accessed at a single location, where the procedure to grant access is based on detecting an authorised person at an entrance.
Controlling access to a website based on an IP address, as seen when a person is denied access to some YouTube content.
A person has a GPS locator in a phone or the phone is triangulated by cellular towers and this is used to grant access based on their presence at a specific location.
Effective use of location as an authenticator requires the ability to usefully separate a location from another and to determine a person’s proximity to that location. In doing so, also guard against any implication of location tracking outside the instance of authentication.
Something you are
‘Something you are’-type authenticators are challenges based on characteristics intrinsically linked to you and can be either biological (as with fingerprints) or behavioural (as with typing patterns). Automated authentication based on this factor is commonly called biometric recognition.
This is making a physical comparison between a particular characteristic of a person and an image of that same characteristic.
A photograph, signature, or fingerprint.
Comparison is a subjective process usually done using an image of insufficient size and detail for an accurate assessment to be made. Some characteristics require considerable training for comparison to be effective (for example, a fingerprint).
Biometric recognition relies on physical or behavioural (or chemical) characteristics of a person. An initial sample is collected from a person and an extraction of features is made which are stored as a template.
In an authentication process, a new sample is taken, extraction made and the result compared against the original template.
Extracted features and templates are discrete subsets of a person’s original biometric characteristic.
Examples of characteristics — Physical (face, fingerprint or iris), behavioural (voice, keystroke, or gait), chemical (DNA, body odour, or body chemistry).
Examples of recognition systems – SmartGate passport control at airports, fingerprint sensor to unlock a device.
Biometric recognition systems are the most controversial authenticator types. They tend to be expensive, especially when full liveness testing is included. They are useful for their resistance to loss and cannot be easily lent.
Biometric comparison is probabilistic — it allows for false acceptance and false rejection. This is more likely to occur where anti-spoofing, degeneration and liveness checking are not included in the solution or where environmental factors impact the comparison.
Biometric characteristics are usually un-revocable if compromised (faces cannot be changed like passwords). While the extracted features (represented by a mathematical value, bespoke to the system it was created in) have a degree of security built into them, the original samples do not if they’re retained.
Biometric recognition is an evolving technology — stability, speed, accuracy and standards are still changing frequently.
Multi-factor authentication (MFA)
MFA is an authentication method that uses challenges and responses from 2 or more of the 3 types of authentication factor:
- something you know (for example, a password)
- something you have (for example, a smart phone)
- something you are (for example, a fingerprint).
Note: using 2 types of the same factor is not multi-factor authentication. For example, a password and personal information are both ‘something you know’, so using them together would still be single-factor authentication.
Accessing a bank account through an automatic teller machine (ATM): the PIN (something you know) and the ATM card (something you have).
Accessing a building where a guard checks your face against a stored image (something you are), you swipe an access card (something you have) and enter a 4-digit code (something you know).
Multi-factor authentication increases the likelihood of being able to mitigate against a wide number of threats to the authentication process.
However, multi-factor authentication systems increase the cost of authentication both to the organisation and to the people who need to use them. This cost may not be financial but could be in the form of convenience and usability.