This guidance assists organizations in choosing the right method for authenticating their customers accessing online services. It is designed for a range of sectors, such as retail, hospitality, and utilities, but is relevant for any organization needing to authenticate customers when they log into online platforms. By implementing any of the methods outlined here, in addition to traditional password authentication, you will greatly enhance the security of your customers’ accounts.
Numerous authentication methods offer security that transcends standard passwords. This guidance outlines the benefits and limitations of each method, enabling you to select the one that best fits your organization and customer base. It also includes links to more comprehensive guidance from NCSC regarding each authentication method.
Why move ‘beyond passwords’?
Bill Gates predicted the end of passwords nearly two decades ago. While many anticipated alternative methods would take their place, passwords continue to dominate as the default authentication method for numerous services, both professional and personal. Password authentication is affordable, simple to implement, and familiar to users. The reliance on passwords remains high, particularly with the increasing use of online services and personal devices.
Given that the average user has countless online accounts, creating unique passwords for each (and remembering them) can be a challenge. Often, users devise coping strategies for ‘password overload’, which can include creating predictable password patterns or reusing the same password across various platforms. Attackers often exploit these strategies, leaving both your customers and your organization exposed.
- Research from Google indicates that 52% of passwords are reused across different accounts.
- FIDO data points to passwords being the underlying cause of over 80% of breaches.
Introducing additional authentication methods also makes sense from a business perspective. Some estimates suggest that up to one-quarter of online purchases are abandoned due to forgotten passwords, as the process of recovering a password (or creating a new account) is often time-consuming, discouraging potential customers.
How does additional authentication help?
Passwords can be compromised through several means, the most prevalent being when an organization managing account details experiences a data breach. Criminals will attempt to use those stolen passwords to access other accounts, a process referred to as credential stuffing. This tactic is effective because many users tend to reuse passwords across multiple accounts.
Additionally, criminals might employ phishing tactics via email, text, or direct messages to gain access to accounts or simply try the most commonly used passwords that many still use.
No matter how stolen passwords are obtained, without implementing additional authentication methods, criminals can misuse stolen credentials to fraudulently access user accounts. This could provide access to sensitive personal data, including financial information, or enable impersonation of a user for malicious activities. Incorporating an additional authentication method for customer accounts substantially increases the difficulty for criminals to cause harm.
Note:
When developing your organization’s password policy, consult the NCSC’s guidance for system owners. It outlines how you can apply technical measures to alleviate the burden on customers while implementing policies that align with people’s natural workflows.
Select the model that’s suitable for you
This guidance explores four authentication models:
For each authentication method, you must evaluate both the security and usability, and most importantly, consider the profile of your customer base. For instance, some customers may hesitate to acquire additional devices for making purchases through your online platform.
Despite the vulnerabilities inherent in passwords, they remain a familiar and accepted authentication method for most users. Regardless of which additional authentication model you choose, be prepared to support users during account setup and afterward. Ultimately, however:
- offering a variety of methods ensures greater appeal to a wider user base
- presenting these options during account setup is a chance to clearly explain the advantages and functionalities of extra authentication
Multi-factor authentication (MFA)
The most prevalent method that moves ‘beyond passwords’ is Multi-factor Authentication (MFA), also known as two-step verification (2SV) or two-factor authentication (2FA). Accounts set up with MFA require users to supply a second factor that is accessible only to them. The second factor could involve:
Note:
The optimal second factor for MFA implementation will depend on the services your organization provides and the profile of your customers. While sending a PIN code via SMS is widely understood, it is also the least secure option. Offering your users a choice of second factors can ensure better coverage for your customer base. For further details on implementing MFA, refer to the NCSC’s guidance on Multi-factor authentication for online services.
The second factor in MFA should not be mandatory every time the service is accessed, as this can quickly become frustrating for users. It should only be needed when high-impact activities are detected, such as:
- transferring large sums of money
- altering passwords
- updating account information (like credit card details)
A second factor should also be requested whenever unusual activity is detected, such as logging in from an unrecognized device or a location far from the user’s usual access point.
Keep in mind that integrating MFA into online services will necessitate providing ongoing support for your users, both at account setup and in the longer term (including guidance on what to do if users encounter issues with the second authentication factor). The NCSC has generated guidance that can help users understand MFA, which you may adopt for your own support materials if needed.
The following table illustrates when it is likely appropriate to implement MFA.
| MFA is likely appropriate when: | MFA is less likely appropriate when: |
| Security is prioritized over user experience and throughput. | User experience and throughput take precedence over security. |
| Your users are willing to provide additional contact means (phone or email). | Your users prefer not to associate more contact information with your website. |
| Your users can confidently operate mobile devices and discern between genuine and false requests. | Your users lack confidence using mobile devices and are likely to be confused by authentication messages. |
| You can offer users a range of verification options. | |
MFA: a practical scenario
As a vast online marketplace where users buy and sell goods, you aim to bolster customer reassurance amidst a rise in password-based attacks like credential stuffing. To enhance security, you decide to implement MFA for user accounts. You allow customers to choose their preferred factor: either a code received via SMS or through an authenticator app. To avoid overwhelming users, you only prompt them for the second factor when there are signs of a new device or login location.
A customer named Jean sells handmade items on your platform and is aware of phishing incidents impacting another online marketplace, where accounts have been compromised and users have lost their earnings. Concerned about potential attacks on your site, Jean recognizes that MFA will significantly mitigate her account’s vulnerability.
OAuth 2.0
OAuth 2.0 enables customers to authenticate to a new service using their existing account with another, typically well-known service provider (such as Apple, Facebook, or Google). This method is commonly referred to as Single Sign On (SSO). By using options like ‘Sign in with Apple’, users are relieved from the necessity of creating yet another account for a new site.
Moreover, if OAuth providers have robust security measures in place (such as MFA or token access revocation), the new service can avoid the effort and costs involved in implementing these measures internally.
However, should a criminal gain access to a user’s OAuth account, they will also have access to services using it for authentication. Thus, the security of the OAuth provider must be taken into account, ensuring that only providers with suitable security protocols are selected. The NCSC’s Cloud Security guidance offers insight to help in determining whether a provider meets your security needs.
It’s also vital to consider the reliability of OAuth providers; if their authentication server goes down, your associated online service becomes inaccessible (as seen in the 2021 Facebook outage).
Even if you provide a variety of OAuth provider options, some users might prefer not to link an existing account to your new service. For these individuals, alternative authentication methods should be offered.
Implementing OAuth
The following links detail approaches to implement OAuth 2.0 for major providers:
- Google: Get verification codes using Google Authenticator
- Microsoft: Integrate sign in with Microsoft
- Facebook: Facebook Login for the Web using JavaScript SDK
- Twitter: Log in with Twitter
- Yahoo: Yahoo OAuth 2.0 Guide
- Apple: Sign in with Apple
The table below summarizes when OAuth application is likely appropriate.
| OAuth is likely appropriate when: | OAuth is less likely appropriate when: |
| Ease of use holds significant value. | If security is critical and relying on OAuth provider security is not suitable. |
| You can trust the OAuth provider’s security posture and dependability. | Your availability or security needs exceed those of the OAuth providers. |
| Your users don’t mind their activities being observed or tracked. | Your users prefer not to have their activity on your service monitored. |
| The anticipated downtime of the OAuth providers is acceptable. | |
OAuth: a practical scenario
You manage a global hotel chain with properties worldwide. Many of your customers are first-time guests, seeking a fast login to book a stay without creating a new account.
By integrating OAuth in your booking process, new customer Jack can quickly log in using his Google account, making the reservation process seamless.
FIDO2
FIDO2 offers a framework of standards that enable cryptographic authentication through public-key credentials and protocols, providing a secure alternative to passwords for online service access. FIDO2-compatible authenticators can vary from personal devices like smartphones or laptops with a Trusted Platform Module (TPM), to physical USB keys, and can be utilized for password-less logins or as a second authentication factor.
Most FIDO2 tokens are USB-based (e.g., Yubikeys), and various FIDO2 authentication tokens are available to cater to different needs and budgets. Many modern smartphone applications are compatible with FIDO2, capitalizing on built-in biometric authentication. FIDO2 allows users to authenticate through actions such as button presses, PINs, or biometrics (like fingerprints or facial recognition).
Generally, users will be responsible for purchasing their own tokens. If a token is lost, it results in the user being unable to authenticate for the service, thus highlighting the importance of registering a backup (which means obtaining another token). Given that relatively few services support FIDO2, users might be hesitant to invest in tokens—especially since there are more affordable, commonly used authentication methods. Additionally, if a token is lost, it must be revoked, requiring users to log into each service using the backup token.
While major device manufacturers are adopting FIDO2 natively (facilitating automatic token sharing across devices within their ecosystems), several barriers to adoption remain, such as usability and initial costs.
Implementing FIDO2
The FIDO2 website offers insights for developers on how to incorporate FIDO2 authentication. Since FIDO2 relies on public key cryptography, developers should be versed in cryptographic protocols, even if they lack direct experience implementing FIDO2 logins.
The following table demonstrates when it is likely appropriate to adopt FIDO2.
| FIDO2 is likely appropriate when: | FIDO2 is less likely appropriate when: |
| Security is a priority over usability. | Security is not critical, and user experience and throughput are equally important. |
| You have a security-focused audience aware of the necessity for strong security. | Your users do not value account security and might be deterred by needing a second factor. |
| You can provide users with an authenticator app or security token rather than relying on user procurement. | Your users are unlikely to have smartphones or may be hesitant to buy security tokens. |
| If a user loses their access token, you have enough time to recover their accounts. | If a user loses their access token, immediate recovery of their accounts is imperative. |
FIDO2: a practical scenario
In your role as a prominent video gaming company operating various online games, you realize that customer accounts harbor significant value through digital assets (e.g., virtual items, levels, and in-game currency). Instances of cybercriminals exploiting leaked password databases to compromise individual accounts and pilfer these assets have detrimentally affected your company’s reputation.
In response, one of your rivals has enhanced customer account security through a FIDO2-based authenticator app. To maintain competitiveness, you decide to offer in-game incentives for players logging in with a FIDO USB token or authenticator app. However, participation isn’t consistent due to the relatively low in-game value of these rewards. Subsequently, you opt to produce branded FIDO2 USB tokens and distribute them as rewards for reaching a significant milestone in one of your games.
Since these tokens become perceived as prestigious within your gaming community, your highest-value customers are motivated to qualify for the free tokens. As a result, the accounts containing the highest digital asset values are more likely to secure protection against password-based attacks.
Magic links and one-time passwords
Magic links signify a type of password-less login that allows users to log in by clicking a link sent to their email, eliminating the need to input a username and password. Clicking the link grants the user access to the service.
One-time passwords (OTPs) resemble magic links in that users do not need to memorize a password. Instead, they receive a single-use password through SMS or email or are prompted to generate one using an app. Providing users with diverse options is likely to boost uptake.
As with MFA, if a criminal gains access to a user’s mobile device, they could potentially access accounts linked to that device. Magic links and OTPs enhance user experience by removing the headaches associated with forgotten passwords and the risks of password breaches.
Implementing magic links
The following table summarizes when employing magic links and/or OTPs is likely appropriate.
| Magic links and OTPs are likely appropriate when: | Magic links and OTPs are less likely appropriate when: |
| Security isn’t a top concern, and user experience is critically important. | Security is paramount, and the security of the mobile network or email provider is inadequate. |
| Your users are amenable to providing additional contact information (like an email or phone number). | Your users are reluctant to share additional contact details (like an email or phone number). |
| Your users are generally comfortable utilizing mobile devices and can identify unexpected or misleading requests. | Your users may lack confidence with mobile devices and struggle to interpret authentication messages. |
Magic links: a practical scenario
You manage a comparison marketplace where customers forecast the best deals on services like insurance, utilities, or broadband. Given that users visit your site infrequently, you implement magic links for swift access without needing a password.
When Meg discontinued use of a competing marketplace after she forgot her password and grew frustrated with the reset process, she returns to your site. This time, she simply enters her email address. Moments later, an email lands in her inbox, enabling her to click a link that logs her in automatically.
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/authentication-methods-choosing-the-right-type
