Over the past five years, mobile usage has overtaken desktop usage across multiple dimensions. In 2020, 51% of time spent online in the U.S. is on a mobile device. Given this rapid shift to mobile, it’s worth taking a look at the brief history of digital authentication and evolution to meet the challenges of today’s mobile user. Two-factor authentication (2FA) has been particularly challenging to the user experience.
Digital authentication started with the computer password, an invention by Fernando Corbato in the 1960s, and it was sufficient in the early stages. Passwords were the logical starting point for internet security since they had been used as a method of authentication for centuries leading up to the computer. The earliest reference to passwords appeared back in ancient Mesopotamia. However, by the early 2000s the difficulties with passwords became apparent. In 2004 Bill Gates declared that passwords were inherently weak and could not be relied on going forward. By 2014 even Fernando Corbato himself admitted that passwords had become “kind of a nightmare.”
In the early 2000s, the current shift to two factor (2FA) and multi-factor authentication (MFA) began, but the adoption of multi-factor authentication was not swift. The major reason being that with the added security of 2FA and MFA came added friction. While in the past five years, almost every app or website has used a combination of authentication techniques to improve security, the struggle of balancing the added friction continues.
While Bill Gates may have been early to identify the risks with passwords, his pursuit of smart card technology as a substitute has been hindered by its complexity. While smart card technology certainly provides strong security, the expense and complexity of requiring smart card reader hardware explains its lack of acceptance across the industry.
Also, with the advent of the smartphone in the early 1990s and the rapid growth of mobile usage, digital authentication methods have had to adapt quickly to the different usage pattern of mobile users as well as the different form factor of mobile devices with minimal keyboard functionality.
Early on, the use of SMS based two-factor authentication seemed like a great idea until fraudsters figured out how to port a user’s phone number to their phone and consequently access one-time passcodes (OTP) sent via SMS. The scheme is now known as a SIM swap attack.
SMS-based two-factor authentication is definitely one of the techniques that is on its way out and is, in fact, a deprecated method, as outlined in the NIST SP 800-63 Identity guidelines. Push notifications have now superseded SMS as a preferred method for sending OTP codes.
With the multitude of options to deploy two-factor authentication, one of the biggest trends is a shakeup of preferred two-factor authentication methods. 2FA methods that have more friction and are more expensive to deploy are being substituted for ones that are frictionless, more secure and cheaper.
Mobile use cases are now dictating the next stage in the evolution of digital authentication. The growth of smartphones and mobile internet usage has led to a user base characterized by short attention spans. This places additional challenges on any security method that adds friction and delay to the user experience. The balance has tilted firmly in the direction of optimizing the user experience for mobile users at all costs.
So what does this mean for authentication choices for mobile users?
Many apps and websites are taking the path of offering the user a choice of 2FA methods and letting the user decide their preference. The development of the FIDO standard, and now FIDO2, with its many options for authentication, has provided a road map for implementing MFA. These choices offer varying degrees of security and friction. In some cases, the addition of 2FA adds security but takes away from the user experience.
What are the choices?
The points in the table below indicate whether security and user experience has been positively or negatively affected by the different methods of two factor authentication. The scoring is on a scale of -2 to +2, where 0 means no impact, -2 means a strongly negative impact and +2 means a strongly positive impact.
Method |
Security |
User Experience |
Net Result of 2FA |
OTP SMS |
0 |
-2 |
-2 |
OTP Push |
+1 |
-2 |
0 |
Security Key |
+2 |
-2 |
0 |
Biometric |
+1 |
-1 |
0 |
Behavioral Biometrics |
+2 |
0 |
+2 |
Apps offering a combination of different types of authentication methods are expected to continue and behavioral biometrics is continually drawing attention because of its ability to add security without subtracting from the user experience with added friction.
The role of behavioral biometrics
Identifying the unique behavioral traits of a user is the essence of behavioral biometrics and it offers the opportunity to uniquely identify and authenticate users without requiring them to do anything other than be themselves. Behavioral biometrics offer the ultimate user experience for security without adding friction.
Surprisingly, the earliest form of behavioral biometrics was the telegraph, first used in the 1860s. Telegraph operators could be identified by how they uniquely tapped dash and dot signals. Mouse movements and keystroke patterns were some of the first web-centric indicators used to define users. Today there are many behavioral signals that can inform our digital identity including gait, voice, gesture and location.
For mobile users, location behavioral biometrics is emerging as the strongest behavioral signal that uniquely defines a user. Today’s mobile users are very seldom separated from their mobile devices by more than a few feet. Mobile devices are often in our pockets, our purses, beside us on our work desks, in the kitchen, in the bathroom, and next to us when we sleep. Using a combination of network signals including GPS, Wi-Fi and Bluetooth, and on-device signals such as accelerometers, gyroscopes and magnetometers, location behavioral biometrics can now build unique location behavior patterns with indoor precision as close as seven feet. With no two users sharing the same location behavior history, this unique location pattern forms a dynamic location fingerprint that is virtually impossible to mimic or forge. Traditional biometrics such as your fingerprint, face, and iris are static credentials which, once stolen, are useless. A location fingerprint is dynamic and constantly changing, enabling the user to always be one step ahead of the fraudster.
As an industry, we need to adopt a mind shift that security should not come at the expense of user experience. With mobile usage as a dominant channel going forward, authentication techniques need to move beyond two steps forward for authentication and one step backward for user experience. Just as passwords are being discarded because of the high friction they create for users, new multi-factor authentication (MFA) techniques will be selected and become preferred because they add security without taking away from the user experience. Behavioral biometrics is one of the new MFA techniques that offers users the choice of better security and user experience.