Online Authentication: Time for a New Dawn?

September 27, 2015

Chances are you can’t use an online system without providing some sort of proof that you are who you are. In fact, you’d be hard pressed to buy something online or through an application on your phone without at some point entering several unique identifiers.

Maybe you’re asked for your mother’s maiden name, or a code of random numbers that was texted to your mobile device. Giving this information is a message that tells the system “I am who I say I am,” thus granting you access to what you’re trying to access.  


Image from PC Magazine

If proving your identity to the phone you’re holding in your hand seems silly, it’s important to remember these security measures serve a purpose. Fraud through online channels is a huge problem, especially when it happens through mobile devices. It costs businesses money and both businesses and customers headache.

A lot of online systems use multiple measures of authentication to improve security. This is called multi-factor authentication. One simple example of this is using an ATM. First, you prove that you have the debit card by inserting it into the machine. Then, you provide an extra layer of security by entering a unique PIN.

ATM (1).jpg

Image from

Currently, websites and applications use three main types of authentication to protect against online fraud:

  1. Something you know

This category includes giving information that only the true account user would know. This includes passwords or security questions, such as the mother’s maiden name question. The idea behind this is that a fraudulent user would not have access to this personal information and thus would not be able to access the account.

  1. Something you have

Another approach to increasing online security is to ask the user to verify their identity by providing something they have, such as security tokens or text message verification. This proves you are actually holding the device being used to access an account.

  1. Something you are

The third category is based on behavior. Who you are, including how you look and how you act, is something unique to you and, in theory, cannot be replicated by a fraudulent user. This approach includes biometric measures such as voice, face, and fingerprint recognition, in addition to measures of behavior.

How has online authentication evolved? In the beginning, e-commerce businesses realized they needed a form of security to protect them from the scary open-access Internet. They came up with basic HTTP authentication, which made users enter a username and password. This was a good start, but websites wanted more customization, as the authentication page looked the same for every website.

Computer-diagram.pngHow basic HTTP authentication works. Image from

Then came customized form-based authentication, which most websites use today. This prompts the user for a username and password, much like the basic authentication. For every correct sign-in, the web browser sends a cookie back to the server. Both basic and form-based authentication use encryption to provide a secure link between the client and server.

Most websites still use password authentication, something the user knows. There are other options, though. One option is to use a one-time password generated by an app, sent to your phone as a text message, or in the form of an electronic gadget called a security token. This option followed the development of form-based authentication.

security_tokens_2015_02.jpgImage from Computer Weekly

The problem with the first two methods of authentication (something you know or have) are they are less secure than other possible measures. Passwords can be easily stolen. A malicious person may intercept a text verification. These options also affect user experience, as their online experience is interrupted by requests for information.

Methods of authentication that involve the third category, “something you are,” are more secure and user-friendly because validation is based within the user himself. These methods have taken off over the past five years. Interestingly, biometric methods may be some of the oldest methods of authentication.

Research shows handprints and fingerprints from 500 B.C. were used to authenticate business transactions. For ages, people have used facial characteristics to distinguish between people. In 1896, fingerprints were developed as a way to verify prisoners' identities. In the 1960s, facial recognition systems were developed. Both became progressively more automated over time.

Fast forward to 2013, when Apple released Touch ID on their smartphones. This enabled users to do many things, including unlock their phone and authenticate Apple Pay, Apple’s mobile wallet application, with the touch of a finger. Not only must the user be holding the phone, they must have the correct fingerprint.

Apple-Touch-ID-Fingerprint.jpgApple Touch ID. Image from

Compared to traditional methods like passwords, translating biometrics to the online world proves more difficult. Biometric measures sound like a great idea, but they often have significant problems associated with them.

Fingerprint sensors can experience glitches in certain environmental conditions, for example, when exposed moisture or dirt. The same goes for voice recognition when the user is in a noisy environment. These methods also require specific hardware, such as sensitive scanners.

There is the possibility that the stored biometric measure, such as a voiceprint, can be stolen exactly like a password can. In many ways, a biometric measurement like a fingerprint is just another type of password. It requires users give personal information while taking the time to validate their identities.

VoiceRecognitionPic.pngVoice recognition. Image from

It’s obvious traditional methods of online authentication are not enough in today’s world. Hackers are getting better at hacking and security measures are largely the same, as many websites still use passwords as their form of authentication. Also, users frequently use “forgot password” because they have so many accounts with different passwords, it’s impossible to remember them all.

A possible answer to the authentication question is to take advantage of users’ inherent behavior, another “something you are” method. Current mobile devices are equipped with sensors that can give data on the user, such as finger pressure or fingerprint size. This can be used for authentication purposes.

The key to this method is that many measures are used to create a behavioral profile of the user. In the instance of fraudulent users, behavior would be different and the system would prevent them from accessing the account. This provides a high level of security with no interference to the user.

You’ve seen the history of online authentication in this article, now it’s time to look toward the future.




Recent Posts

4 Reasons to Prioritize Mobile Fraud Prevention in 2021
Peak Season 2020: Account Takeover is Here to Stay and Other Takeaways
It's Time We Confront These Common Myths About Behavioral Biometrics
[Infographic] Breaking Down the Fraud Flow of Account Takeover
Emulator Fraud-as-a-Service: The Threat Landscape Continues to Evolve

Follow Us