Multifactor Authentication

Authentication can be accomplished with one factor, two factors, or multiple factors. Which one is the weakest level of authentication and which is the most secure and why? When would a more secure system be required? Be able to explain these multifactor authentication methods: password protection, token presence, voice biometrics, facial recognition, ocular-based methodology, hand geometry, vein recognition, fingerprint scanner, thermal image recognition, and geographical location. What are some challenges of multiple factor authentication when using biometrics? There is a lot of interesting information covered in this article that you do not need to memorize, but that you should be aware of.

3. MFA Operation Challenges

3.1. Usability

The main usability challenges emerging in the authentication process could be characterized from three perspectives:

  • Task efficiency – time to register and time to authenticate with the system;
  • Task effectiveness – the number login attempts to authenticate with the system;
  • User preference – whether the user prefers a particular authentication scheme over another.
In addition to the approaches discussed previously, researchers have already started an investigation of more specific effects in the authentication procedures based on a variety of human factors. The authors of provided a study on how the user age affects the task efficiency in cases of PIN and graphic access mechanisms. It is concluded that younger generation can spend up to 50 percent less time to pass the authentication procedure in both cases. Interestingly, the authors of have shown that gender, in the same case, does not affect the results.

Another direction in the authentication mechanisms usability is related to cognitive properties of the selected human. The work in offered an overview on how to make the passwords memorable while keeping them relatively usable and secure at the same time. Paper by Belk et al. delivered a research on the task completion efficiency and effectiveness among the conventional passwords and the realistic ones. The results revealed that, for most of the participants, the utilization of graphic passwords requires more time than for the textual ones. However, cognitive differences between users, i.e., being Verbal or Imager, affect the task completion significantly. Here, Verbals complete the text-based tasks faster than Imagers and vice versa. The work by Ma et al. studied the impact of disability (Down syndrome) in the same two scenarios. It was once again confirmed that textual passwords are utilized better compared to the graphical ones.

In addition, the properties of the authentication device play a major role in this process. The authors of investigated the usability of textual passwords on mobile devices. It was proven that using a smartphone or other keyboardless equipment for creating a password suffers from poor usability as compared to conventional personal computers. Another work confirmed the same theory from a task efficiency perspective.

Today, most of the online authentication services are knowledge-based, i.e., depend on the username and password combination. More complex systems require the user to interact with additional tokens (one-time passwords, code generators, phones, etc.). Complementing traditional authentication strategies, MFA is not feasible without biometrics. From this perspective, the work in provided an analysis on how gamification and joy can positively impact the adoption of new technology. The gesture-related user experience research conducted in showed that security and user experience do not necessarily need to contradict one other. This work also promoted pleasure as the best way for fast technology adoption. The reference addressed the usability of the ECG solution for authentication, and it was concluded that the application of ECG is not yet suitable for dynamic real-life scenarios.

Many researchers promoted the utilization of personal handheld devices to be utilized during the MFA procedure. Michelin et al. proposed using the smartphone's camera for facial and iris recognition while keeping the decision-making in the cloud. Another work on biometric authentication for an Android device demonstrated an increased level of satisfaction related to higher task efficiency achieved with the MFA solution. Reference studied the usability and practicality of biometric authentication in the workplace. It was concluded that the ease of technology utilization and its environmental context play a vital role – the integration and the adoption will always incur additional and unexpected resource costs.

An extremely important problem of MFA usability roots in the fact that "not all users can use any given biometric system". People who have lost their limb due to an accident may not be able to authenticate using a fingerprint. Visually impaired people may have difficulties using the iris-based authentication techniques.

Biometric authentication requires an integration of new services and devices that results in the need for additional education during adoption, which becomes more complicated for seniors and due to related understandability concerns. One fact is clear – user experience plays a prominent role in successful MFA adoption; some say, "user comes first". Today, research in usable security for knowledge-based user authentication is in the process of finding a viable compromise between the usability and security – many challenges remain be addressed and will arise soon.