Mobile Authentication for Identity and Access Management
Identity and Access Management refers to managing the identities of users and regulating access to different services within an organization. IAM systems such as WSO2 Identity Server comprise of authenticators designed to conduct three specific tasks, namely identifying users, authenticating the users through a selected mechanism and authorizing the authentication requests based on the pre-defined method.
Many methods can be used for authenticating users via an IAM System. An authenticator considers one or more of three factors which are “Something you know”, “Something you have” and “Something you are” to confirm the identity of a user. Popular authentification mechanisms include basic authentication which takes a username and a password, multifactor authentication methods such as one-time-passwords, passwordless authenticators such as FIDO, federated authenticators which allows a user to login via their Google, Facebook or any other external accounts, and a whole other variety of authenticators. These authenticators can be used in specific ways to design various advanced authentication flows such as Multi-Factor Authentication and adaptive authentication. Doing so will increase user accounts' security and give the user a pleasant experience when logging into a service.
While different types of authenticators exist within an IAM system, some of the more popular authenticators used for designing strong authentication flows include the use of mobile devices such as smartphones. In this article, I’ll be covering some of the authenticators that are used in this method.
1. SMS OTP and Email OTP Authenticator
To start the list we’ll talk about one of the most basic authentication mechanisms that use a mobile device, which is One-Time-Passwords. While this method does not use any specific apps to transfer OTPs, it sends a pin of 4 or more characters to the user via SMS or email by which the user has to enter the received code on the login page to validate the authentication. The OTP is valid for approximately 5 minutes in most instances and can be used only once. If the OTP expires, a new OTP should be requested.
While both SMS OTP and Email OTP use the same method mentioned above, it derives at the point of how the pin is received. SMS OTP is received through a mobile phone via the mobile number that has been registered. Email OTP is received via the user's registered email address which can be accessed either through a mobile app or a web browser.
2. TOTP Authenticator
TOTP which stands for Time-based One-Time-Password is a popular 2nd-factor authenticator that can be found in many IAM systems.
Having a similar functionality to SMS OTP and Email OTP, TOTP uses a mobile application for presenting the pin to the user. In contrast to SMS and Email OTPs 5 minute validity period, TOTP displays the password only for around 30 seconds in the app. Once the time expires, a new TOTP is automatically generated and presented via the app. The user can easily enter this OTP at the login page and authorize the given authentication request.
WSO2 Identity Server offers TOTP as an authentication mechanism by which a user can connect to a 3rd party app such as Google Authenticator. TOTP is a highly recommended authenticator as it provides an additional security level compared to SMS and Email OTP.
3. Push-Based Authenticator
One of the more convenient 2nd-factor authentication mechanisms that have been popularizing in recent times is push-based authentication. This authenticator will use a mobile app to receive the authentication request via a push notification. The user simply has to respond whether they want to authorize the login request or not via the app.
Security layers will be placed within the authentication flow to ensure that the authentication request isn’t compromised. Hence, along with its convenience, the push-based authenticator would prove to be a safe mode of authentication.
3.1. Authorizing using Mobile Screen Lock
Various security mechanisms such as patterns or pins are used for unlocking mobile phones. These methods can be used as extensions for push-based authentication as an additional layer of security. Such a feature would ideally be the 3rd-factor for authentication in the case of push-based authentication being placed as the 2nd-factor in a multi-factor authentication architecture. The core concept of authentication would be Push-Based while the additional layer would be handled at the mobile app end.
3.2. Authorizing via pin verification
Another mechanism that could be used as an extension to Push-Based authentication would be to add a secret code validation via the mobile authenticator app. While taking a similar form to OTP, this method will display a pin (2–4 digits) on the login screen and the user would have to validate the similarity (like Bluetooth pairing) or select the correct pin from a number of choices to authorize the authentication request. This could be used vice versa as well by displaying the pin on the app and the selection to be made on the login screen end. The request however will be received at the mobile app end as a push notification.
4. Biometric Authenticator
Biometric authentication also comes as an extension to Push-Based authentication and can be used as a 2nd or 3rd factor in an authentication flow. I've listed it separately as it holds a higher level of security over the other push-based authentication methods.
Biometrics cover the “What you are” aspect of authentication, hence nullifying the possibility of impersonating credentials. However, the process of verifying the user's identity via biometrics will need to be done via the biometrics stored in the device itself by which this step will be handled at the mobile app end.
Biometrics such as fingerprint, facial recognition, and iris scanning can be used with Android devices. Face ID and Touch ID can be used in iOS devices to complete the authentication flow. Considering that biometrics are unique for each person gives the users a higher level of security when using this method as a step in a Multi-Factor Authentication flow.
5. QR Code Based Authenticator
In comparison to the above mobile authentication mechanisms, QR code based authenticators take a different approach. This would be used as the first and possibly only required step required for authentication and would make a passwordless authentication flow possible.
The authentication flow works by the user being logged in to an authentication mobile app using the credentials for their account beforehand. The login at the mobile app will have to be persistent for this flow to be seamless. A QR code will be displayed at the login screen when the user initiates the authentication flow. The user will have to scan the code using the mobile app. Once it’s scanned, the app will send an authentication request connecting the user with the session started at the login page on the service. WhatsApp Web is a service that uses this authenticator.
The only threat associated with this method is if the mobile device is stolen with access to the mobile app (in which case a secure locking mechanism should be enabled in the device). While the security remains strong in the authentication mechanism, the user can conveniently access their required services with minimal time consumption using this mode of authentication.
In this article, I’ve covered some of the authenticators that use a mobile device to complete the authentication flow. You can try out some of these and many other authenticators using WSO2 Identity Server. Hope you found this article helpful.