When you attempt to access a system, network, or resource, it is critical that the administration of the platform verifies your identity to prevent unauthorized access to your personal data. This procedure is called authentication.
The piece of evidence users need to provide to complete the authentication process may come in various forms and quantities: Be it a password, a fingerprint, a combination of the two, or something completely different. However, though there is a wide selection of common authentication methods, not all are equally beneficial for end-users' safety.
With ZITADEL as your Identity and Access Management (IAM) solution, your end-users have the option to enable any of our available authentication methods: FIDO Universal 2nd Factor (U2F), FIDO2 Passkeys, Mobile Transaction Authentication Numbers (mTAN), Mobile One-Time-Passwords (OTP) and Password-based authentication. To help you weigh each method's pros and cons, this article describes each process in greater detail.
Here are ZITADEL's five implementable authentication methods ranked from worst to best regarding security and user experience (UX).
Authentication Methods - Worst to Best
Unsurprisingly, the title of the lowest-ranking entry on our list has to go to the most infamous form of authentication in the book: passwords.
Since their inception in the 1960s, passwords have been a standardized practice in validating our digital identities. Their invention has not only brought the concept of authentication to light but also that of cybersecurity itself.
However revolutionary passwords might have been for cybersecurity, the rapid evolution of technical knowledge amongst the public also opened the door for more and more cybercriminals who take advantage of the simplicity of this authentication method. As a response to these new cyberattacks, the notion of password hygiene has emerged: More and more platforms started urging their users to make their passwords more complex and to change them periodically.
As of the 2020s, any password that does not include at least one uppercase letter, one number, one symbol, and a total of 9 characters can be cracked within a maximum of three days. While setting up a long and convoluted password might solve the guessability issue, it simultaneously defeats their original purpose of being easily recallable. Moreover, even the most complex passwords are vulnerable to other cyberattacks, such as brute-force attacks and social engineering.
4. One-Time-Passwords (OTP) mTAN
One-time passwords (OTPs) (also known as One-time codes) are a type of authentication in which a unique password is generated for each login attempt and, as the name suggests, can only be used once. Since OTPs are commonly used as a second factor in two-factor authentication (2FA) or multi-factor authentication (MFA) systems, most of us have likely already encountered this method of authentication in practice.
Mobile Transaction Authentication Number (mTAN) is an off-device method of generating one-time passwords (OTPs) specifically created for financial transactions. It is commonly employed by banks as an additional layer of protection to verify the identity of the person attempting to initiate a payment.
At the start of the transaction process, a TAN (a single-use code of 6-8 characters) is generated and sent to the user's mobile phone via SMS or a dedicated banking app. This TAN must then be supplied on the transaction page to validate the payment attempt. Thus, even if a cybercriminal gets their hands on your password, they still won't be able to conduct payments on your behalf without this additional verification code.
While mTAN offers robust protection against identity theft and fraudulent transactions, it still ranks low on our list due to its vulnerability against various forms of 2FA bypass attacks (such as SIM-Jacking and social engineering), as well as its inconvenient user experience. To migate some of the security concerns around mTAN, ZITADEL chose not to support SMS-reliant OTPs - instead, with the upcoming login API, your login flow can be extended easily with external 2FA providers that offer SMS TAN.
3. One-Time-Passwords (OTP) Mobile
Mobile OTPs operate very similarly to the previously mentioned mTAN authentication method. Like TAN codes, Mobile OTPs are single-use, off-device numerals typically used as an additional authentication factor to ensure a safer login process. The main differences are that this method is not explicitly intended for financial transactions and that the OTP is sent to the user via an authentication application of the user's choice (f.e. Authy or Google Authenticator).
Take signing into a social media account as an example. With Mobile OTP enabled on your profile, you will be prompted to navigate to your authentication app after you enter your login credentials. The app will display a 6-digit code (the OTP) which must be entered on the social media login page as part of the secondary authentication process. Akin to the case of mTAN, the requirement of an additional OTP safeguards your profile from unwanted access, even if your password might have been compromised. Moreover, the code refreshes after a short amount of time (30-60s), making the old one automatically useless after its expiration.
Despite their many similarities, mobile OTP typically suprasses mTAN in terms of safety, because the code is generated on the user’s device and does not rely on a SIM card. Accordingly, a potential SIM-jacking attack will still not get the attacker closer to accessing the user’s account. Despite this perk, mobile OTP is still subjectable to the Duplicate-Generator attack, as well as social engineering attacks (f.e. phishing).
2. FIDO Universal 2nd Factor (U2F)
FIDO (Fast Identity Online) describes a set of open protocols based on public key cryptography. It was developed by the FIDO Alliance, consisting of technology giants such as Google, Visa and Microsoft, to create convenient but highly-secure standards for authentication. As a groundbreaking domain- and hardware-bound open solution, FIDO has established itself as a widely used and highly recommended identity and access management (IAM) practice. Since its founding in 2012, the FIDO Alliance has published three specifications: Universal 2nd Factor (U2F), Universal Authentication Framework (UAF), and FIDO2.
The U2F protocol was designed to be used as a second-factor token-based authentication system in addition to the first factor (the user's password) to enhance the security of the traditional password-based login method. Accordingly, U2F prompts users to present two pieces of evidence to validate their identity:
- A knowledge factor: The user's password or PIN
- A possession factor: Security devices known as U2F tokens that can be embodied in various form factors, such as a USB device (f.e. Yubikey), a Near Field Communication (NFC) device, or a BlueTooth LE device.
With U2F's extra layer of security added to the authentication process, the service can simplify its passwords without compromising security. Furthermore, its reliance on public key cryptography and physical security keys makes it far safer and less vulnerable to 2FA bypass attempts than the previously stated OTP-based approaches.
Evidently, even the earlier installations of FIDO (such as U2F) can already be considered highly innovative and secure (especially compared to traditional login methods). However, the constant evolution of security standards inevitably led to the need for a newer protocol that carries on the benefits of its predecessors while also bringing new advancements (such as higher UX). This is where FIDO2 comes into play.
1. FIDO2 Passkeys
FIDO2 (aka FIDO 2.0) is the latest set of specifications published by FIDO, with the primary pursuit of entirely eradicating password use on the internet. Ever since its release, FIDO2 has been widely supported by technological giants such as Google, Microsoft and Apple. Unlike previous specifications, this new protocol comprises the W3C Web Authentication (WebAuthn) specification and corresponding Client-to-Authenticator Protocols (CTAP) from the FIDO Alliance. This innovative collaboration provides users with passwordless, second-factor and multi-factor user experiences with embedded (such as biometric authentication or PINs) or external authenticators (such as physical security keys, mobile devices, wearables, etc.).
The release of FIDO2 also marked the introduction of Passkeys - passwordless credentials that allow users to access their FIDO sign-in information across multiple devices, including new ones, without needing to enroll each device separately for every account. The WebAuthn API of FIDO2 enables the standardization of passkeys, which also provides libraries for their use in both the front- and back-end.
As the highest-rated entry on our list, FIDO2 Passkeys surpass every other authentication technique available on ZITADEL both in terms of security and UX. To sum up why, here are some of the key reasons why users should enable FIDO2 Passkeys as their preferred authentication method:
- Passwordless systems are less susceptible to phishing and other cyberattacks due to their complete waiver of passwords.
- Login via Passkeys is less time-consuming and does not rely on the user's memory.
- WebAuthn provides FIDO2 with a standardized framework that improves compatibility and ensures consistent security practices across different platforms.
- Passkeys ensure a fast and convenient recovery process by allowing users to enroll and de-enroll devices via their service provider's cloud backup.
- Passkeys enable users to authenticate seamlessly across different vendor platforms, ensuring a convenient UX and cost-effectiveness.
The main goal of the Identity and Access Management (IAM) solution ZITADEL is to ensure that the end-users of your application can verify their virtual identities in the safest and most convenient way possible. To make this goal a reality, we highly recommend that they either set up a FIDO U2F token or a FIDO2 Passkey as their preferred authentication method.