A ranking of authentication methods and recovery methods

Passwords: This is still the most widely used authentication method. They are easy to implement but come with significant security risks. Passwords can be weak, guessed, or stolen through phishing attacks. In addition, people have a tendency to use the same passwords everywhere, which means that a leaked password from one service might be used on other services.

Risk: High - Password databases are susceptible to breaches, and users often struggle to maintain strong passwords.

One-Time Passwords (OTP) by SMS: OTP via SMS involves receiving a temporary code on your mobile device. While it's more secure than just a password, it's not foolproof. OTP by SMS provides an extra layer of security compared to passwords alone, but they’re vulnerable to SIM swapping attacks, SMS interception and smartphone-based malware attacks

Risk: Moderate - Better than passwords alone but not immune to attacks.

Offline Authenticators: An example of this is Google Authenticator, which can be linked with an online account using a QR code, then later provide a time-limited proof of this linking through a 6-digit token. From a solution provider perspective, this type of 2nd factor is quite easy to implement, but there are two limits: If the user loses their smartphone they might not be able to log into the account again. And, as the app is typically offline there is no way for the user to verify the transaction details.

Risk: Low - Quite secure but not user-friendly.

Hard Tokens: While somewhat “old fashioned” today, these are physical devices that generate OTPs or cryptographic keys. They are highly secure but can be expensive and inconvenient to carry. They provide excellent proof of who you are, due to physical possession. On the other hand, this is all they do, as they typically don’t have features to verify that you’re authenticating the right transaction. In addition, they’re costly,  easily lost, and can be cumbersome.

Risk: Low - Very secure but not user-friendly.

App-Based Strong Authentication: App-based authentication relies on smartphone apps to generate OTPs or cryptographic keys. They are more convenient than hard tokens and offer robust security. They also make it possible to “dynamically link” the authentication session with a given transaction, so that the end user can verify the transaction details in the app. Having strong authentication built into the app makes it secure, convenient, and cost-effective. The biggest disadvantage is that they require a smartphone.

Risk: Low - Highly secure and user-friendly.

Identify Wallet Apps for Finance and Asset Protection: Wallet apps, like those used in the finance world or in the Nordics, have emerged as a secure means of authentication and asset protection. Having multiple apps share the same identity and authentication methods makes it possible to have a single app which provides strong security while being user-friendly, and multifunctional. A disadvantage is that by being so powerful they might require additional setup and integration.

Risk: Low - Highly secure and versatile.

The final ranking
Based on the discussion above, here's a ranking of authentication methods by security level, from least to most secure:

1. Passwords
2. OTP by SMS
3. Authenticating apps (authenticators)
4. Hard Tokens
5. App-Based Strong Authentication
6. Identity Wallet apps

App-based Strong authentication and Identity Wallet apps provide roughly the same level of security here, but by focusing on security an identity wallet app can provide a stronger level of security overall.

Passwords: Recovery for passwords primarily involves resetting them, especially when you forget or lose access to your password. There are many ways to do this, such as having to answer security questions set during the initial setup correctly. The obvious weakness here is that the answers to these questions might be guessable, such as that your dog’s name is Tinkerbell. Another popular, but weak, mechanism is to use email-based recovery, where the “security anchor” is simply that you have access to the received email.

One-time Passwords (OTP) by SMS: Recovery for OTPs sent via SMS can be challenging because it often depends on access to your mobile number. This means that you’ll have to contact your mobile service provider, and preferably get a new SIM card with the same number. Sadly, this is also the same way someone would get access to your account: by tricking the provider into giving them a SIM card with your number. Some providers also allow users to have backup codes, which can be used instead of the OTP, but these have to be stored really securely.

Offline Authenticators: Recovery in the case of this type of offline authenticator typically relies on backup codes, but some providers also allow for security questions or even email-based recovery. If the authenticator was used to protect a free account, with no way to recover access the account might be lost forever.

Hard Tokens: Recovery for hard tokens is relatively straightforward but may involve contacting the token provider or your organization's IT department. You might also have to go to a physical location to receive a new token.

App-Based Authentication and Wallet apps: Recovery for app-based authentication methods, such as those using our SDK, can be more convenient. The simplest way might be to provide a mechanism for the user to do a re-enrollment, providing the same type of authentication they used to set up the account initially. Another way might be to provide security codes after the initial authentication that the user can use to re-authenticate on a new device at a later point. And, since it is app-based it is fairly simple to provide a QR code that can be shown on a device where the user has a secure session, linking a new device to an existing authentication in a secure manner.

There are two key questions when choosing what authentication method to use:

• What kind of attackers would be interested in gaining access to your accounts? If you’re protecting a simple online forum using usernames and passwords with recovery through email might be enough. But, if you’re protecting sensitive data, critical infrastructure or balance-carrying bank accounts, you should choose a much stronger security mechanism.
• What external requirements are your business operating under? If you’re sending or receiving funds in Europe you’ll be required to be PSD2 compliant. This requires that your authentication uses two different authentication methods, implements dynamic linking, and a secure execution environment.

All of this is of course something we in Okay can help you with. Reach out if you’re interested in an informal discussion about how we can help, either by providing software solutions or advice.