Authentication Types: what they mean?

iris biometric scanning

You might have wondered what all those authentication types mentioned in our last blog actually meant? Some are well known, but a few are new, so it seemed to make sense to try to give each one a definition or explanation from the many sites that have this information! The result is a random collection of links. They may not be the best available and are certainly not academically based or tried and tested but here goes:

Knowledge: Something a person knows

  • Password – a string of characters that allows access to a computer system or service.
  • PIN – A personal identification number (PIN), or sometimes redundantly a PIN number, is a numeric (sometimes alpha-numeric) passcode used in the process of authenticating a user accessing a system.
  • Knowledge-based challenge questions – Knowledge-based authentication (KBA) is an authentication scheme in which the user is asked to answer at least one “secret” question.
  • Passphrase – A passphrase is a longer string of text that makes up a phrase or sentence.
  • Memorised swiping path – laying your finger on a screen and moving in any direction that covers the memorised characters.

Possession: Something a person has

  • Possession of a device evidenced by one time password (OTP) generated by, or received on a device – “The password or numbers sent to for instance a phone expire quickly and can’t be reused.”
    • Possession of a device evidenced by a signature generated by a device – “hardware or software tokens generate a single-use code to use when accessing a platform.”
    • Card or device evidenced by QR code scanned from an external device – “Quick Response (QR) code used to authenticate online accounts and verify login details via mobile scan or special device.”
    • App or browser with possession evidenced by device binding – “a security chip embedded into a device or private key linking an app to a device, or the registration of the web browser linking a browser to a device”
    • Card evidenced by a card reader – “physical security systems to read a credential that allows access through access control points.”
    • Card with possession evidenced by a dynamic card security code – “Instead of having a static three- or four-digit code on the back or front of the card, dynamic CVV technology creates a new code periodically.”

Inherence: Something about the person e.g. biometrics

  • Fingerprint scanning – “When your finger rests on a surface, the ridges in your fingerprints touch the surface while the hollows between the ridges stand slightly clear of it. In other words, there are varying distances between each part of your finger and the surface below. A capacitive scanner builds up a picture of your fingerprint by measuring these distances.”
  • Voice recognition – “Voice and speech recognition are two separate biometric modalities…By measuring the sounds a user makes while speaking, voice recognition software can measure the unique biological factors that, combined, produce [the] voice.”
  • Hand & face geometry – A biometric that identifies users from the shape of their hands and in the case of Google’s Media Pipe face identification it is complex network of 3D facial keypoints using artificial intellingence etc to analyse the results.
  • Retina & iris scanning – “both ocular-based biometric identification technologies… no person has the same iris or retina pattern”
  • Keystroke dynamics – …”keystroke dynamics don’t require an active input. Instead, keystroke dynamics analyzes the typing patterns of users; this can include typing rhythms, frequent mistakes, which shift keys they use for capitalization and pace.”
  • Angle at which device is held – “the exact angle a user holds the phone as a means of making replay attacks a lot more difficult.”

There has been a debate about which of the above should be considered under the various headings and acceptable as part of a secure multifactor authentication system. If you are interested in these processes and want more information it may be worth reading the Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2. By the way PSD2 means ‘Payment Services Directive 2’ and the UK will be following the directive, but there is an extension for UK e-commerce transactions.

However, in the meantime many organisations other than banking, shopping sites and those that hold personal data have asked users to consider multifactor authentication including the NLive project lead and the University of Southampton that has some helpful instructions.



LexDis introduces its News Blog

Person sitting behind a laptop trying to access a screen button with right hand.

LexDis was set up 14 years ago as a JISC project with learner experiences becoming a series of strategies that demonstrated ways of overcoming accessibility barriers and finding innovations that support digital learning. COVID-19 has meant these types of strategies have become even more important and technology companies have had to provide improved built in options in settings to enhance access to their online offerings.

We have just secured an Innovate UK funded NLive project that is all about evaluating the outcomes of an “automated quality controlled human collaboratively edited closed-caption and live transmission system”. It is a mouth full as well as a challenge! There are added goals to sort out including digital right management issues, improving recording quality for streamed audio and videos, making use of AI and noise cancellation algorithms as well as pesonalising accessibility options. Lots to achieve in a year!

So at the moment we are planning a series of news blogs that will track the outcomes of our endeavours and we will be asking for help along the way!

When evaluating online services for their usability and accessibility it is important to think about how a system will be used. So when we started to think about the elements that might cause barriers we turned to experts in the field last year, then studied the guidelines and articles to build on the knowledge we had gained in the past.

Just last week (August 16th, 2021) a really interesting article by Gareth Ford Williams came to our notice, thanks to Steve Lee. It was all about UX = Accessibility & Accessibility = UX where Gareth talked about evaluations seeming to ‘focus on guidelines rather than user outcomes’. I think that is what we tried to achieve with LexDis, so once again we are on that journey!

Gareth poses the following thought that we are going to hold onto as we explore ways of making it easier for students to access their online learning systems.

“If we step away from the compliance model and think of accessibility being first and foremost about people and the rich diversity we find within any audience, it starts to raise a lot of questions about what ‘good’ actually is.

Gareth goes on to mention “10 Human Intersectional UX Obstacles within any Product or Service’s Design” and presents a series of built in settings and strategies to support user preferences. During the coming year we will explore the challenges for an internet multimedia system and present ideas for overcoming them. Wish us luck!