IT Device Security
Authentication methods: choosing the right type
Recommended authentication models for organisations looking to move 'beyond passwords'.
1. Why go 'beyond passwords'?
2. Multi-factor authentication (MFA)
3. OAuth 2.0
5. Magic links and one time passwords
This guidance helps organisations to select an appropriate method to authenticate their customers who are accessing online services. It's intended for retailers, hospitality providers and utility services, but can be used by any organisation who need to authenticate customers when accessing online apps or websites. Adding any of the methods described here (ie in addition to password authentication) will significantly increase the security of your customer accounts.
There are several authentication methods that provide security that goes 'beyond passwords'. This guidance summarises the benefits and limitations of each method, so you can choose the one that's most appropriate for your organisation - and your customers. It also provides links to more detailed NCSC guidance on each of the authentication methods.
Why go 'beyond passwords'?
Bill Gates predicted the death of the password nearly 20 years ago. Many assumed that alternative methods would replace them, but passwords remain the default method of authentication for a huge range of services, both at work and home. Password authentication is cheap, easy to implement, and understood by users. Password use continues to rise, mostly due to the adoption of online services and the massive growth in use of personal computers, smartphones and tablets.
Since the average user has so many online accounts, creating different passwords for all of them (and remembering them) is hard. Inevitably, users will devise their own strategies to cope with ‘password overload’. This includes using predictable patterns to create passwords, or re-using the same password across different systems. Attackers exploit these well-known coping strategies, leaving your customers and your organisation vulnerable.
Research from Google found 52% of passwords are reused across accounts.
Data from FIDO indicates that passwords are the root cause for over 80% of breaches.
It also makes good business sense to introduce additional authentication methods. Some estimates suggest that as many as 1/4 of online purchases are abandoned due to forgotten passwords, as recovering passwords (or creating new accounts) can be a time consuming process and will put off many potential customers.
How does additional authentication help?
Passwords can be stolen in a number of ways, but the most common way is when an organisation holding account details suffers a data breach. Criminals will use passwords stolen in the breach to try and access other accounts, a technique known as 'credential stuffing'. It works because many people use the same password for different accounts.
Criminals may also use phishing techniques (either by email, text message or direct messages/chat) to try and access accounts, or simply try the really obvious passwords that millions of people still use.
Regardless of how passwords are acquired, unless you implement an additional method of authentication, criminals can use stolen credentials to access users' accounts fraudulently. This might give them access to sensitive personal data (including financial data such as credit card details), or allow them to impersonate a user to carry out harmful actions. Adding a second additional method of authentication for customer accounts makes it much more difficult for a criminal to do harm.