back arrowBack to Identipedia

A Guide to User Authentication Methods

What is authentication thumbnail


Studies from 2022 indicate that legacy authentication methods are failing organizations, despite an overwhelming majority (87%) that feel their approach is secure. Attackers have discovered ways to target both password-based authentication methods and more advanced methods (like MFA) at increasing rates. This makes selecting the right authentication method a critical part of software development.

There are many types of authentication that app developers and end users can rely on to control access to sensitive data and systems. Each has its relative strengths and weaknesses, which should be considered throughout the development process.

Password-based authentication

One of the most common authentication methods employs passwords or passcodes to grant access. Users input a username and password known only to them to verify their identity. This is among the simplest authentication methods to implement as nearly everyone is familiar with how it works, regardless of their tech literacy.

However, password-based authentication is much less secure than other methods. Here are some disadvantages of using password-based authentication:

  • Weak passwords: Users often choose weak passwords that are easy to guess or crack, such as common words, personal information, or simple sequences. Regardless of length and complexity, passwords can also be stolen, elicited in social engineering attacks, or otherwise compromised in brute force or dictionary attacks. Over 721 million passwords were leaked in 2022 alone.

  • Password reuse: Many users tend to reuse passwords across multiple accounts, which increases the risk of a security breach. If one account is compromised, attackers can gain access to other accounts as well through credential stuffing attacks.

  • Forgotten or lost passwords: Users often forget their passwords, leading to frustration and the need for password recovery or reset processes. This can result in additional support and administrative overhead.

  • Vulnerability to phishing and social engineering: Password-based authentication is susceptible to social engineering attacks, where attackers manipulate users into revealing their passwords or related information through deception or coercion. Attackers can also create fake phishing sites to harvest user credentials.

  • Lack of scalability: As the number of users and accounts grows, managing and securing a large number of passwords becomes challenging. Scaling password-based authentication may require additional resources and security measures.

Passwordless authentication

Passwordless authentication methods include solutions that forego a static password in favor of other authenticating factors. Passwordless solutions can be single-factor or MFA and rely primarily on possession and inherence factors. Common approaches include:

  • Magic links – Instead of asking for a password, your app can request an email address or phone number to send a link to the user, identifying them by their access to said account and / or device.

  • One-time passwords (OTP) – Rather than sending a link, you can send users a unique, randomized string of characters that functions like a password but only for one session.

  • Authenticator apps – You can also require users to retrieve a time-based OTP (TOTP) from apps like Google Authenticator and Authy, with codes expiring after a set interval (usually 60 to 90 seconds).

On the user side, not having to remember a password removes cognitive load and increases their engagement with the app. For organizations, not having to manage passwords frees up bandwidth and reduces overall identification and access management (IAM) expenses. It also greatly reduces the likelihood of account takeover and breaches due to stolen passwords (since there aren’t any passwords to steal).

The best passwordless systems make it very easy for developers to add authentication to their apps without having to write lots of custom code. At the same time, developers prefer third-party systems that give them the ability to customize and modify authentication flows with time. 

Multi-factor authentication (MFA)

Unlike simple password-based authentication, multi-factor authentication (MFA) requires at least two factors to verify a user’s identity and grant them access to a digital environment. This makes MFA significantly more secure since even compromised passwords don’t grant access on their own.

Most factors used for MFA fall into one of three categories:

  • Knowledge factors: Users are required to input information that only they know, like passwords, answers to security questions, or personal identification numbers (PINs).

  • Possession factors: Users leverage devices or accounts that only they can access by receiving a code or link through a secondary channel with instructions on how to use it.

  • Inherence factors: Users are prompted to authenticate their identity using a bodily identifier that only they can provide, such as a retina or fingerprint scan.

Fig: Common MFA factors
Fig: MFA factors

Although MFA helps protect accounts with compromised passwords, it does have vulnerabilities. Cybercriminals employ various tactics (like phishing, malware, and social engineering techniques) to exploit these weaknesses and bypass MFA security measures.

Biometric authentication

Biometric authentication is a secure, convenient, and passwordless method of verifying an individual's identity by utilizing unique physical or behavioral characteristics. By relying on traits such as fingerprints, iris patterns, voice or facial recognition, biometric authentication provides a highly reliable means of access control and identification. 

The technology behind biometrics involves capturing and analyzing these distinct physical characteristics and converting them into digital templates that are stored securely on local devices. When authentication is required, the presented biometric data is compared against the stored templates to determine a match. 

This sophisticated approach offers numerous advantages, including:

  • Increased security: Biometric traits are almost impossible to replicate or forge.

  • Enhanced user experience: Individuals no longer need to remember and manage complex passwords or PINs.

As a result, biometric authentication is becoming increasingly prevalent in various domains, ranging from smartphones and laptops to border control systems and financial institutions, revolutionizing the way we protect sensitive information and establish trust.

The recent rise of passkeys based on the WebAuthn standard is the strongest example of biometrics being an authentication method preferred by users and organizations alike. With passkeys now supported by Google, Apple, Microsoft, and Shopify, biometrics are sure to grow in adoption in the years to come.

Token-based authentication

User authentication can also leverage physical assets, or tokens, to verify identity. This is a possession-based approach where the user is associated with a physical object such as a USB key or trinket that contains a unique identifier. Hardware tokens based on the FIDO2 standard are among the strongest forms of authentication available today.

Typically, the identifier is a randomized sequence of information like a cryptographic key or a code (i.e., bar or QR) that an input device can scan.

Here are some advantages of using token-based authentication: 

  • Less vulnerable to digital theft: Tokens are less vulnerable to attacks like phishing or digital theft since an attacker has to seize possession of the token to gain the access it grants. Cloudflare was able to thwart a phishing attack recently because their employees used security keys.

  • Enhanced security: Tokens offer increased security compared to passwords, making them impervious to attacks such as brute force or dictionary attacks.

  • Scalability: Token-based authentication is highly scalable, as it does not require server-side session storage. This makes it suitable for organizations with a large number of employees.

Since it’s unrealistic to expect users to own dedicated security keys, this authentication method is most prevalent in workforce scenarios i.e. for employees to authenticate on corporate apps and systems.

Factors to consider when choosing an authentication method

Both consumer and enterprise software relies on user authentication methods for secure and efficient user account management. As you configure auth in your next software project, you should weigh the following factors to determine which approach is best suited to your needs:

  • Security: Choose an authentication method that secures customer identities without imposing too much friction during the authentication process. 

  • Scalability: An authentication method that works seamlessly for smaller businesses may not be as well-suited to larger enterprises. If you are a small business or early-stage startup, choose an authentication method that can scale with any potential future growth.

  • User experience (UX): Think about the ways your authentication method will make account management easier and more intuitive every time customers log in. Try to minimize burdens like memorizing complex passwords or answers to security questions.

  • Compatibility: Your authentication method should fit in seamlessly with the tech stacks and environments end users are working within. Try to avoid overlapping or conflicting methods and consider integrations like single sign-on (SSO) functionality if you are building a business app.

  • End user preference: If possible, conduct user research to glean which authentication methods your app’s users are already familiar with. Your users’ demographics, preferred devices, perceptions of privacy, and geolocation all play a role in the authentication methods they prefer.

  • Compliance: Several regulatory frameworks have IAM requirements you’ll need to uphold. For example, the Payment Card Industry (PCI) has long required MFA for DSS compliance, with increased burdens on non-console access implemented in 2017.

  • Cost: Building authentication comes at a cost, especially if done in-house. Consider how adding an authentication method will impact your app’s architecture and code, what supporting systems you need to put in place (e.g. reset processes, account recovery), and whether you need to add fraud prevention controls in place.

When choosing between user authentication methods, you should prioritize solutions that make developers’ and end users’ lives easier without compromising on security.

Simplify your authentication with Descope

There are many types of authentication developers can use when designing an application, but the bottom line is that building authentication in-house can get complicated quickly. 

Descope can help you easily add any authentication method (including passwordless and password-based mechanisms) to your app using drag-and-drop workflows. Our workflows also let you easily modify or update authentication methods in the future without rewriting your app’s code.

Sign up for Descope to streamline your app’s authentication method today.