As one of the basic Identity and Access Management (IAM) tools, online user authentication now exists in many forms. Depending on the use case, industry, and the desirable level of security, companies employ different types of authentication.
While identity verification is the first line of defense, authentication methods are the second line. Let’s see how these components complement each other in order to contribute to the protection of an entire system.
How users are now verified
Authentication in identity verification (IDV) confirms that a user has the authority to access certain information or resources. This is also one of the steps in the larger process.
Authentication is one of the parts of the IAM framework.
First, a user should introduce themselves to a system by providing some unique identifiers. Typically, they are a login or legal name, but sometimes more compelling identifiers, such as an identity document or biometrics, are required. With this information, the system generates a proof of identity—for example, the user’s login and photo are stored in the database—that will be used to authenticate the user in the future.
To start an online session in the service, the user must authenticate themselves by presenting their credentials. Typically, there is also authorization in the background. This determines the user's access rights and privileges; for example, if the user has permission to download a file or change their password on their own.
User verification is intended to validate the user’s identity and the credentials they present. Verification examples include:
Submitting a passport and selfie to verify the user’s identity
Sending a secret—a code, link, etc.—to the user’s device or email to check if it is a recognized individual who is trying to log in
In different scenarios, user verification is performed at the initial or intermediate stage of the process, or is incorporated into all three stages.
Types of authentication explained
As mentioned above, there are many ways to authenticate users. Typical types of authentication are password-based, multi-factor, and biometric authentication.
These different types of authentication distinguish themselves in three ways:
- Security: How reliable the method is
- User engagement: What users should do during the process
- Infrastructure: What equipment is needed to complete the authentication
| Authentication method | Security | User engagement | Infrastructure |
|---|---|---|---|
Password-based | More low than high | User submits login/password only | No additional equipment is needed |
Multi-factor | Moderate | User submits at least two identifiers | Offline: Special scanners for obtaining biometrics (if this is one of the factors) Online: A user’s smartphone with an embedded fingerprint scanner or high-quality front (selfie) camera |
Biometric-based | High | User submits one identifier by scanning their fingerprint, iris, face, etc. |
Now let’s dive deeper into these popular authentication types.
Password-based authentication
Authentication through a unique login/password pair is a classic method that still remains a common access management policy in many industries.
How it works in practice
During registration, an individual is asked for a username and password to identify themselves. If these are unique combinations that meet certain requirements—for example, the password may be required to be at least 8 characters and include numbers and special symbols—a new entry associated with this new user is entered into the database. These credentials are used to authenticate them every time they want to sign in.
An email address as a username is a popular option in password-based authentication.
Some organizations, especially those in the Government or Financial Services sectors, set an automatic sign-out from the system when the session expires. This helps prevent attempts from unauthorized persons to use the account.
Pros and cons
Thanks to its simplicity and broad availability, password authentication is the number one option for many companies worldwide. When a user picks a unique and complex password using strong password generators and stores it in a secure wallet or password manager to remember, the scheme works perfectly.
However, that only happens in a perfect world. In reality, the method is highly vulnerable. Compromised passwords (gained through scams or brute force attacks) are one of the main sources of massive data breaches globally. Often, this is the result of poor password hygiene among users who choose insecure options or repurpose the same credentials throughout different accounts.
Multi-factor authentication (MFA)
This method is based on generating at least two identifiers per user. MFA implies the use of three levels of secret data (or factors) during user authentication:
Knowledge (passwords, secret words, personal details, etc.)
Possession (one-time-passwords, push notifications, etc.)
Individual attributes (fingerprints, voiceprints, etc.)
How it works in practice
A multi-step account login process requires more data from users to enter than just a password. This can be a code sent to the user’s email, an answer to a secret question, or a fingerprint scan. The idea is that a second form of authentication will prevent account takeover if the first line of defense (primarily, a password) is broken.
Considering the reliability of the method, in some countries, MFA is obligatory in certain industries, such as Healthcare, to prevent the theft of sensitive information. For example, in the US, there is the California Consumer Privacy Act (CCPA) and Health Insurance Portability and Accountability Act (HIPAA), which regulate MFA implementation.
Pros and cons
The presence of many “locks” enhances the overall system security, complicating the task of intrusion for fraudsters and malicious actors.
However, MFA deployment and maintenance require considerable resources compared to password-based authentication. Moreover, this authentication method is more time-consuming and cumbersome for users, especially when they need to submit two or more factors every time they are about to log in or do some action in the system.
Biometric-based authentication
This type of authentication employs users’ biometrics as the key identifiers. Often, biometric-based authentication is part of an MFA system, in which biometrics are combined with passwords or single-use session codes sent via SMS.
Dive deeper: Discover what biometrics are currently employed to verify users remotely by reading the guide: Biometric Verification Unveiled: Understanding the Basics and Benefits
How it works in practice
The two previous methods assume that the user always remembers their credentials, such as their password, and has their smartphone at hand to receive a secret code. However, the former is easy to forget, while the latter may be unavailable at the right moment.
Biometric authentication is devoid of these shortcomings. When signing up for a service or mobile application, a user submits their unique biological traits instead of or in addition to a password. These include a fingerprint, voice, retina, face, etc. This information is stored in a biometric authentication system to authenticate a user when they access their account. Importantly, biometrics entering the database are typically not raw data but encrypted numeric values associated with users’ IDs which are impossible to exploit in case of leakage.
Various types of biometric authentication are broadly employed by companies from Banking. For example, clients of HSBC in Malaysia can authenticate in the app via Face ID. Image source: www.hsbc.com.my.
Since someone’s fingerprints or iris scans are hard to steal or tamper with, the process can include just one step. For example, mobile banking applications authenticate users through their fingerprints.
Pros and cons
Biometrics helps prove the ownership of the account quickly and easily. Many users possess smartphones with fingerprint scanners or high-res front cameras that can authenticate them in a snap.
But customers frequently have high requirements for services that collect their sensitive information such as facial scans, or even refuse to use them because of privacy concerns. Moreover, biometric-based authentication is frequently a strictly regulated approach, so companies must comply with local legislation to employ the method without any hindrance. This is due to the fact that compromised biometrics (when stored as raw files) can’t be changed, unlike passwords, which can be reset and renewed.
Future trends in user authentication: What's next?
We can close with a provisional conclusion: the more secure the authentication path, the more complicated it is in terms of customer involvement and technical requirements. Of course, less secure yet user-friendly methods can still be enhanced. For example, some services require strong passwords, filtering out threadbare user inputs like “QWERTY” or “password” during registration.
On the other hand, biometric authentication doesn’t guarantee that the system will be safe and sound. Fraudsters can deceive facial recognition algorithms by presenting a high-quality on-screen photo instead of a live selfie, or simulating someone’s voice during voiceprint authentication.
Bad actors can penetrate the system at the initial step, for example, using synthetic identities—”people” who never existed in reality—during identification. In this case, even enhanced types of user authentication are useless since the enemy is already inside as an identified user.
Another big challenge is attacks targeting legitimate users. Their credentials may be compromised if they fall victim to phishing schemes based on sophisticated social engineering tricks. According to a Verizon report, users’ errors or imprudence underlie 68% of the data breaches that have occurred in 2024.
With the human factor as a key threat, businesses will resort to stricter measures—from tightening password policies to implementing user verification as a prerequisite for all new customers. They also may resort to the nuclear option, in which the system checks and terminates all suspicious sessions.
All this would suggest that more and more companies will rely on biometric authentication enhanced with MFA methods. Moreover, the next generation of these authentication tools can improve with more capabilities such as identifying additional user information like their location or device. Providing more context on login attempts, this approach helps detect and flag suspicious user behavior.
As a global developer of identity verification solutions, Regula emphasizes user verification as a key element in IAM practices. The company offers:
Regula Document Reader SDK for thorough identity verification during onboarding
Regula Face SDK for biometric verification based on facial recognition
Regula’s technologies enhance identity fraud prevention and detection through a full set of authentication checks without sacrificing user satisfaction. Fully customizable, the solutions can be seamlessly integrated into web platforms or mobile applications, or deployed onsite for employee access management.
Book a call with one of our representatives to get more details and learn more about your partnership opportunities.
