The need for strong authentication
When users access online services, they want to be confident that nobody else can log in pretending to be them, access their sensitive personal data or use their identity to make fraudulent claims. Users want to be confident that their data and services are secured and their privacy is protected. Governments, healthcare providers and business that offer services online as application owners need to verify a user’s identity to make sure only the right users are accessing the right information. That is why identity assurance is needed. Identity assurance can be achieved through strong authentication.
What is Strong Authentication?
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be, also know as ‘proving the identity’. With critical data and applications online, strong authentication for every user is essential to protect and enable business. The classic paradigm for authentication systems identifies three factors as the cornerstones of authentication:
- Something you know (for example, a password or a PIN);
- Something you have (for example, a mobile phone or a token);
- Something you are (for example, a fingerprint or other biometric data).
Strong authentication or multi-factor authentication refers to the use of more than one of the factors listed above to increase the trust factor of authentication. It is the security process in which the user provides at least two means of identification from separate categories of credentials; one is typically a physical token, such as a card, and the other is typically something memorised, such as a security code. Using more than one factor to authenticate a user is sometimes related as strong authentication, but the strength of the authentication is more related to the strength of underneath authentication methods, to be more precise: “Two-Factor Authentication”.
Strong depends on context
Understanding the context, in which a user is operating in and the available resources they are accessing, will raise an understanding of their risks. It gives application owners the ability to make authentication choices based on the risks for their users. Ensuring appropriate security across the application means that organisations must understand the importance of strong authentication in the context of major technological trends and increasing security and privacy threats. Currently, a growing number of organisations undertake risk assessments and explore emerging authentication methods to strengthen their defences. The definition of what “strong authentication” means can vary. Depending on the context in which the authentication method is being used. What might be strong in some scenarios, it might weak or relative in other scenarios. Therefore the definition of strong is contextual.
eIDAS assurance levels
The owner of the online service determines what level of assurance they require, depending on the context and risk assessments of their application in order to allow users to get access to their service. The levels of assurance used within Europe, the eIDAS standards are low, substantial and high assurance:
Low assurance
- Limited degree of confidence in the claimed or asserted identity of a Person;
- Reference to technical specifications, standards and procedures, including technical controls, the purpose of which is to decrease the risk of misuse or alteration of the identity
Substantial assurance
- Substantial degree of confidence in the claimed or asserted identity of a Person;
- Reference to technical specifications, standards and procedures, including technical controls, the purpose of which is to decrease substantially the risk of misuse or alteration of the identity
High assurance
- Higher degree of confidence in the claimed or asserted identity of a Person;
- Reference to technical specifications, standards and procedures, including technical controls, the purpose of which is to prevent misuse or alteration of the identity.
Only means with an equal or higher assurance level than the level required for the online service can be used to access the service, so it will not be possible to access a high-level online service with low-level identification means. Different implementations of the same authentication method will provide very different levels of security. For example, even the theoretically strongest authentication method, if the enrolment stage is poor, will likewise provide a poor reliability on the asserted identities. The individual aspect of each method and level of assurance will ultimately determine the applicable end level, on the principle that ‘the chain is only as strong as the weakest link’.
Mobile authentication solutions
In our opinion, strong authentication should be pervasive, transparent and risk-based. In the current trend of mobile solutions, the mobile device can be used as a secure element within the method of authentication. The mobile device like smartphone or tablet is regarded as a strong all-in-one strong authentication tool as it can conveniently combine all three factors:
- Knowledge: smartphone access is based on a range of knowledge factors, for e.g. entering a PIN.
- Inherent: multi-factor authentication is available
- Ownership: people tend to have their smartphones with them and owners soon become aware if phones are left behind or lost.
With ConsentID users can login via multifactor authentication on a user-friendly way on different devices like desktop, mobile phone and tablet. Based on PKI technology and more than 15 years of experience the ConsentID authentication and signing service offers a flexible, easily adaptable and integrated solution for any business application based on full compliance with eIDAS for low, substantial and high level of assurance authentication (LoA3+/4).