It’s not a secret that modern apps often become a target of cyberattacks. Gartner reports that 95% of web applications experience attacks because of stolen user passwords. This means a set of symbols is no longer a reliable way of securing personal data, and this has pushed companies to work on more advanced security methods we’re going to consider in this article.
Methods of user authentication
Let’s first consider the authentication methods you may use during app development.
Digital certificate
It’s an electronic document issued by the specific authority. Such certificates contain identifying information and are easy to verify as they are issued by a trusted company.
Digital certificates have to contain the following information:
– Holder’s name;
– Serial number;
– Expiration date;
– Copy of public key belonging to the holder;
– Electronic signature of the authority.
The public key is used to encrypt messages, and the electronic signature is used to verify data. Browsers and operating systems have lists of authorities, and so they are able to identify whether that signature belongs to one of them or not.
Smart card
A smart card is designed to securely store the owner’s private key and entering it when authorization happens. Smart cards are basically security chips that can be inserted directly into a device or used wirelessly.
When the smart card is inserted or connected with the device, the encryption algorithms decode the data and users get access to whatever was encrypted, e.g., app or the device itself.
Hardware key
It’s a physical device created to generate single-use passwords that are typically valid no longer than a minute. A specially-designed algorithm creates a unique set of symbols in the logical sequence.
Biometrics
It’s a great way of authentication that needs no passwords at all since biometric data is unique to each person. The data can be encrypted and decrypted with the help of fingerprint, face and iris scanning, voice, signature, etc.
This method can be used both as the only authentication method or as a part of multi-factor authentication. In other words, it makes it possible to login into the account or unlock the device.
Proximity
This means the device or app is unlocked when the set conditions will be met. These conditions can include geolocation or presence of a third-party device. This way, the smartphone can be unlocked when it connects to the particular device via Bluetooth or when it’s in the specific area (e.g., at a user’s home).
Authentication technologies
Now, let’s consider solutions and services developers can use for building robust security for mobile apps and websites.
KodeKey
This auth framework helps developers build a biometric-based authentication process. With its help, a user doesn’t have to create any passwords as everything they need is a smartphone and their unique biometric data.
Servers of this framework store information about the accounts of every user and link them with phone numbers or PINs. Their well-designed API makes the process of this service integration into a website easy as pie.
The scheme of KodeKey’s work is the following:
1.Phone number or PIN is entered by the user into the login field;
2.This attempt is sent to KodeKey;
3.The user identity is authenticated using fingerprint scanning.
LaunchKey
This platform provides several ways to verify identity: a good old password and more advanced two-factor authentication. Users can access the engine of LaunchKey with the help of its public API. The good thing about this service is that it doesn’t store private records elsewhere, they are all stored on the user device.
Also, LaunchKey offers users to create their own security mechanisms. For example, to protect the corporate data, you are able to set the combination of persons’ identity verification with their geolocation when the attempt to access the system is made. In other words, you can create two-factor authentication of your own by combining different security mechanisms the platform provides.
Clef
This service uses a camera as well as an asymmetric key to verify the identity utilizing occasionally generated images and keys.
Users get a private key right after they register an account and install Clef’s mobile app. This private key is always stored on the user device, while the public key is sent to Clef servers.
The rest is simple. When users try to log into the service that uses Clef, they see a generated image in a browser. Then, users point their smartphones at that image, the app scans it, encrypts it through the private key, and sends this data back to the Clef servers. If the server realizes that the sent image is decrypted with the help of the right key — the operation succeeds.
M-pin
This solution is suitable for both web and mobile products. If you need M-pin for the web product, you have to integrate specialized JavaScript-based code and library into your web application. If you want to use M-pin for mobile products, you use a mobile browser built-in the application to access your account.
When you need to authenticate on services using M-pin, you attach a certain mobile device or desktop browser to the account and set a PIN. Then, the attached device receives a token and you can effortlessly login.
YubiKey NEO
It is a physical USB key that is used by such giants as Google, Dropbox, and Github. The key is powered by NFC, so it is easy-to-use with mobile devices that have the support for this technology. All you need to do is just put the device to your smartphone’s backside and press a button so the device could generate the unique set of numbers.
In case you work with laptops or desktops, you can simply plug it into the USB port when logging in the certain service.
There are lots of technologies designed to provide a secure authentication process. The choice is up to you.
About the Author: Nataliia Kharchenko
Nataliia Kharchenko is a Technical Writer at Cleveroad company that offers web and mobile app development services. I enjoy bringing a digital world closer to people and writing about technology, mobile apps, innovations, and progressive management models.