--- title: Strong Authentication Methods description: Learn about authentication methods that can be used in the Healthcare flow pack. component: pingone-solutions page_id: pingone-solutions:healthcare:healthcare-authentication-methods canonical_url: https://docs.pingidentity.com/pingone-solutions/healthcare/healthcare-authentication-methods.html revdate: January 29, 2025 section_ids: email-magic-link: Email magic link one-time-passcodes-email-and-sms: One-time passcodes (email and SMS) fido2-biometrics-passkeys-security-keys: FIDO2 (biometrics, passkeys, security keys) authenticator-app-totp: Authenticator app (TOTP) voice-otp: Voice (OTP) mobile-application: Mobile application --- # Strong Authentication Methods The Healthcare flow pack solution offers the following strong authentication methods, which each have advantages and disadvantages. ## Email magic link An email magic link *(tooltip: \
\

A passwordless authentication method that involves the authentication service sending a single-use sign on link to the user by email or SMS.\

\
)*, also known as a magic sign-on link, is a convenient way to sign on to an online service, website, or application without entering a traditional username and password. Instead, it relies on a unique link that's sent to the user's email address, which acts as a one-time authentication token. | Use cases | Benefits | Challenges | | -------------------------------- | --------------------------------- | ---------------------------------- | | Web applications | Reduced password fatigue | Email security concerns | | Mobile apps | Lower support costs | User skepticism | | Temporary or infrequent sign ons | Mobile-friendly | Expired links and usability issues | | Password recovery | Reduced risk of password breaches | Phishing risks | ## One-time passcodes (email and SMS) A one-time passcode (OTP) *(tooltip: \
\

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

\
)* is an authentication method used to provide a secure and convenient way for users to sign on to their accounts or access sensitive information. In this method, users are authenticated with username and password and issued a step-up authentication request through a one-time code delivered using the email address or phone number (through SMS) registered with their account. | Use cases | Benefits | Challenges | | ------------------------------- | ---------------------------- | --------------------------------- | | Low-risk accounts | Improved security | Delivery reliability and security | | Account recovery | No passwords to remember | Mobile number changes | | Limited access | User trust and adoption | Phishing risks | | Early stages of user onboarding | Frictionless user experience | Expired OTPs | ## FIDO2 (biometrics, passkeys, security keys) Fast IDentity Online (FIDO) *(tooltip: \
\

A set of open technical specifications developed by the FIDO Alliance for strong authentication.\

\
)* is an authentication standard developed by the [FIDO Alliance](https://fidoalliance.org/) that enables passwordless or step-up authentication using biometric data. FIDO2 is designed to enhance the security and user experience of online authentication by adding an additional authentication factor or by replacing traditional passwords with the following more secure and convenient methods: * FIDO2 biometrics Incorporates biometric authentication techniques, such as fingerprint recognition, facial recognition, iris scanning, or voice recognition, to verify a user's identity. Instead of relying on static passwords, FIDO2 biometrics relies on unique biological characteristics that are difficult to replicate, providing a higher level of security against various authentication threats. * FIDO2 passkeys Enable users the ability to sign on to their accounts by accessing their FIDO2 credentials on many of their devices that they've enrolled in multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)*. Passkeys reduce the risk of phishing, all forms of password theft (including password spraying brute force attacks), and credential stuffing attacks. * FIDO2 security keys Physical hardware devices used for strong authentication based on the FIDO2 standard. These devices are designed to provide a highly secure way for users to authenticate to online services and applications. | Use cases | Benefits | Challenges | | -------------------- | ---------------------------- | ----------------------------------------------- | | Online banking | Enhanced security | Biometric accuracy | | Healthcare records | High phishing resistance | Potential for spoofing and presentation attacks | | Government services | Multi-platform compatibility | Data privacy and regulations | | E-commerce platforms | Privacy protection | User acceptance | ## Authenticator app (TOTP) An authenticator app is a strong authentication method used to enhance security and streamline authentication by generating temporary OTPs. This method offers a convenient and secure method for implementing two-factor authentication, significantly enhancing the security of online accounts and protecting users from cyber threats, such as phishing attacks and credential theft. | Use cases | Benefits | Challenges | | ------------------------------ | ---------------------------------------------------------------- | ------------------------------------------ | | Time-based password generation | Enhanced security through short-lived passcodes | User adoption and education | | Multi-account support | Better user experience | Backup and recovery mechanisms | | Security | Strong encryption techniques | Expired codes and usability issues | | Customization and branding | Reduced dependency on less secure MFA methods (for example, SMS) | Technical issues impeding brand reputation | ## Voice (OTP) Voice OTP is a strong authentication method that can be used as a step-up authentication request following a password. When initiated, the system sends a voice OTP to the user through a phone call to the number already associated with the account. After receiving the OTP, the user enters it in the relevant field before it expires. This method is highly accessible because all it requires is a phone. | Use cases | Benefits | Challenges | | ------------------------------- | ---------------------------- | --------------------------------- | | Low-risk accounts | Improved security | Delivery reliability and security | | Account recovery | No passwords to remember | Phone number changes | | Limited access | User trust and adoption | Phishing risks | | Early stages of user onboarding | Frictionless user experience | Expired OTPs | ## Mobile application PingOne MFA has an SDK for mobile that allows you to integrate MFA capabilities into your mobile apps for Android and iOS. The mobile app can be either an authenticator-only app that handles second-factor authentication or a complete business app that handles the full user experience, meaning both access and authentication. | Use cases | Benefits | Challenges | | -------------------------- | ------------------------------------------------ | ----------------------------------------- | | Security | Strong encryption techniques | Expired codes and usability issues | | Customization and branding | Seamless native experience from your application | Requires additional development resources |