7 July 2022

User Authentication: Are You Future-Ready?

In a rapidly shifting landscape, the challenges of securing your digital identity (in terms of authenticating and verifying it) are increasing at the same rate as Internet usage globally. But what are these challenges, why are they there, how can they be overcome and why should you care? Whether you’re an end user or responsible for your business’s authentication solutions, there’s a change coming.

Sergei Zamsharski, Head of Product Management at LeverID (part of the Levercode technology think-tank) is a seasoned professional in the digital identity landscape and offers insightful responses to all these questions.

What is ‘authentication’ and what is it for?

"Authentication is the process of identifying a user requesting access to a particular system. We do this every day when we use our online bank, or check our email, using one of several authentication methods. It's become our daily routine, the security of which we don't think much about; rather, we trust the system and hope that it'll do everything it needs to for us.

This was especially true during Covid-19, when many employees switched to WFH, which affected the overall security of the information to which employees have access. This is because the user adopts a less secure authentication method or doesn't follow the mantra everyone should follow: change your passwords at least once every 3 months - oh, and definitely don't use the same one everywhere! (more on that below…)

The three most popular authentication methods

Because hacking systems become smarter with each iteration, systems and portals impose increasingly stricter authentication rules as a consequence, in order to protect themselves and their users. Several of these are described below.

1. Password-based authentication

The most popular way to log in has been, and will probably remain so within the near future, your username (usually your email address) and a password. Many systems adopt complicated password requirements, forcing us to create longer passwords that use special characters. However, such passwords are difficult to remember. It's likely that each of us has used the, "I forgot my password!" link at least once (been there, done that, learned the lesson!) 

Passwords are also at risk of being compromised, by way of them being obtained fraudulently. According to statistics, the average user has in excess of 25 accounts and only 54% have different passwords (which explains my lesson learned remark - I’m pushing that stat to 55%.)

One convenient way to manage all these accounts has been to use password holders, which are available on the Internet, but password holders are even more at risk of attack, and it's not wise to blindly trust password storage in the cloud (I don’t!)

2. Multi-factor authentication

Multi-factor authentication uses several methods or devices to identify a person. For example, after logging in with a password, you might need to enter an additional, one-off code that you can receive via SMS, or use your phone's random number generator program, which in turn just extends the time it takes for the user to log in... 

This authentication method is used quite often on the Internet. For example, companies such as Google, Facebook, and Binance use multi-factor authentication. Estonian banks in the past also used PIN calculators or code cards as an additional means of protection. The end result is to create a clunky UX - so, whilst it increases the security factor for me as an industry insider, it inevitably increases the inconvenience factor for me as a user! (I’d prefer a more convenient but equally secure solution...)

3. Certificate-based authentication

Here, users identify themselves by presenting a digital certificate, generated after successfully completing a verification procedure, using e.g. a passport, ID card or driver’s license. This method of authentication is still most commonly used in critical systems, such as public services, banks, the financial sector, etc; pretty much any place where security requirements are very high.

The principle benefit here for the user is how easily this authentication method is applied; only 2 PINs need to be remembered - one for authentication and the other for signing (this makes my life a lot easier, no messy passwords to remember!)

A digital certificate contains a digital identity, plus public keys that not only allow you to log in to the system, but also to sign a document that is the legal equivalent of a handwritten signature. These certificates are issued only by a recognised, official certification body.

These certification systems can be sub-divided into three groups:

ID card: This was the very first authentication method released in Estonia, where the private key of the certificate is on the ID card’s chip itself and an ID reader device must be used in order to access the data. Again, from the UX perspective, this isn't very convenient, for everyday use, when you need to enter the system repeatedly.

Mobile ID: This is a solution where the private key is already on your phone's SIM card. Given that it's necessary to use a reader of some sort when using an ID card, then a mobile phone is a good enough way of solving that need. The disadvantage is the inconvenience experienced at the beginning of such a service; a separate agreement with the mobile operator is required and incurs a nominal monthly fee (but still easier overall to use than an ID card reader each and every time!)

Certificate in mobile app: This type of authentication replaces the previous two due to its simplicity, convenience, security, and scalability (crucial in an increasingly mobile-device-centric world), rightly rapidly becoming the standard for its segment. The private key is stored on the phone’s chip itself, independent of the services of the mobile operator. There are currently two solutions in Estonia that use this type of authentication, namely ‘Smart-ID’ and the new LeverID solution. Companies use HSMs (Hardware Security Modules) in their solutions, as well as various encryption methods: Smart-ID uses an older RSA-based technique, whereas LeverID has adopted the more advanced ‘edDSA’, which runs more quickly and produces shorter, and simultaneously more secure, keys. This is because we created unique and patent-pending DualKey™ technology for more robust key generation. In addition, our solution is truly scalable globally - it can be used in any country in the world that issues unique, individual and numbered identity documents, e.g. a passport.

What next for the industry?

With the rapid growth of Internet use, especially mobile-centric access, individuals and organizations alike are increasingly at risk of losing data and assets, so users need to think about their own security when choosing a secure environment - and it's high time companies thought about moving password-based authentication to more secure technologies like ours! 

We anticipate that certificate-based authentication, especially the mobile version of the application, or cloud services, will dominate the market in the coming years as the most secure way to identify the user - and for the user to have full trust in the e-services they’re logging into.

In recent years, the European Union has introduced increasingly stringent data retention rules, such as GDPR, but also we now have ‘eIDAS’, a body which regulates the identity and transaction market. With the advent of ‘eIDAS 2.0’, the European Union is aiming to move more than 80% of European citizens over to using digital wallets (mobile applications or cloud services that receive and store user credentials). Thus, the revolution of certificate-based authentication will only accelerate over the next 3 to 5 years, applying both pressure on, and opportunity for, leading industry providers.

LeverID had anticipated this coming shift and is now already at the forefront of that [r]evolution. As its Head of Product Management, I’m immensely proud of the impact we’ll have on our industry - precisely because we designed it to!"

Sergei Zamsharski, Head of Product Management, LeverID.

Share this article: