Strong Authentication Methods
The PingOne for Customers Plus solution offers the following strong authentication methods, which each have advantages and disadvantages.
Email magic link
An email magic link, also known as a magic sign-on link, is a convenient way to sign on to an online service, website, or application without entering a traditional username and password. Instead, it relies on a unique link that’s sent to the user’s email address, which acts as a one-time authentication token.
| Use cases | Benefits | Challenges |
|---|---|---|
Web applications |
Reduced password fatigue |
Email security concerns |
Mobile apps |
Lower support costs |
User skepticism |
Temporary or infrequent sign ons |
Mobile-friendly |
Expired links and usability issues |
Password recovery |
Reduced risk of password breaches |
Phishing risks |
One-time passcodes (email and SMS)
A one-time passcode (OTP) is an authentication method used to provide a secure and convenient way for users to sign on to their accounts or access sensitive information. In this solution, users are authenticated with username and password and issued a step-up authentication request through a one-time code delivered via the email address or phone number (through SMS) registered with their account.
| Use cases | Benefits | Challenges |
|---|---|---|
Low-risk accounts |
Improved security |
Delivery reliability and security |
Account recovery |
No passwords to remember |
Mobile number changes |
Limited access |
User trust and adoption |
Phishing risks |
Early stages of user onboarding |
Frictionless user experience |
Expired OTPs |
FIDO2 (biometrics, passkeys, security keys)
Fast IDentity Online (FIDO) 2 is an authentication standard developed by the FIDO Alliance that enables passwordless or step-up authentication using biometric data. FIDO2 is designed to enhance the security and user experience of online authentication by adding an additional authentication factor or by replacing traditional passwords with the following more secure and convenient methods:
- FIDO2 biometrics
-
Incorporates biometric authentication techniques, such as fingerprint recognition, facial recognition, iris scanning, or voice recognition, to verify a user’s identity. Instead of relying on static passwords, FIDO2 biometrics relies on unique biological characteristics that are difficult to replicate, providing a higher level of security against various authentication threats.
- FIDO2 passkeys
-
Enable users the ability to sign on to their accounts by accessing their FIDO2 credentials on many of their devices that have been enrolled in multi-factor authentication (MFA). Passkeys reduce the risk of phishing, all forms of password theft (including password spraying brute force attacks), and credential stuffing attacks.
- FIDO2 security keys
-
Physical hardware devices used for strong authentication based on the FIDO2 standard. These devices are designed to provide a highly secure way for users to authenticate to online services and applications.
Use cases Benefits Challenges Online banking
Enhanced security
Biometric accuracy
Healthcare records
High phishing resistance
Potential for spoofing and presentation attacks
Government services
Multi-platform compatibility
Data privacy and regulations
E-commerce platforms
Privacy protection
User acceptance
Authenticator app (TOTP)
An authenticator app is a strong authentication method used to enhance security and streamline authentication by generating temporary OTPs. This method offers a convenient and secure method for implementing two-factor authentication, significantly enhancing the security of online accounts and protecting users from cyber threats, such as phishing attacks and credential theft.
| Use cases | Benefits | Challenges |
|---|---|---|
Time-based password generation |
Enhanced security through short-lived passcodes |
User adoption and education |
Multi-account support |
Better user experience |
Backup and recovery mechanisms |
Security |
Strong encryption techniques |
Expired codes and usability issues |
Customization and branding |
Reduced dependency on less secure MFA methods (for example, SMS) |
Technical issues impeding brand reputation |
Voice (OTP)
Voice OTP is a strong authentication method that can be used as a step up authentication request following a password. When initiated, the system sends a voice OTP to the user through a phone call to the number already associated with the account. After receiving the OTP, the user enters it in the relevant field before it expires. This method is a highly accessible method because all it requires is a phone.
| Use cases | Benefits | Challenges |
|---|---|---|
Low-risk accounts |
Improved security |
Delivery reliability and security |
Account recovery |
No passwords to remember |
Phone number changes |
Limited access |
User trust and adoption |
Phishing risks |
Early stages of user onboarding |
Frictionless user experience |
Expired OTPs |
Mobile application
PingOne MFA has an SDK for mobile that allows you to integrate MFA capabilities into your mobile apps for Android and iOS. The mobile app can be either an authenticator-only app that handles second-factor authentication or a complete business app that handles the full user experience, meaning both access and authentication.
| Use cases | Benefits | Challenges |
|---|---|---|
Security |
Strong encryption techniques |
Expired codes and usability issues |
Customization and branding |
Seamless native experience from your application |
Requires additional development resources |