This guide describes various authenticator types and provides examples and considerations for their use. It does not prescribe the use of any specific authenticator.
Help us create the best guidance possible
If you would like anything added to or clarified in this guidance, email the Identification Management team identity@dia.govt.nz.
This guidance will evolve and expand over time to meet the needs of users and is part of the wider Identification Standards.
Authentication and authenticators
Authentication is a process by which an entity, who has already enrolled with a service or organisation, is subsequently recognised on their return without having to fully repeat the enrolment process.
Authenticators are mechanisms used within an authentication process. They are things known and/or possessed and controlled by an entity that they use to be recognised when they return to a service or organisation.
Authentication factors
Authenticators are classified using 3 different authentication factors. Generally described as:
something you know
something you have
something you are.
During an authentication process an authenticator holder is challenged to respond to the authentication factor the authenticator uses.
‘Something you know’-type authenticators are challenges based on information or patterns that you know or need to remember.
Common examples are memorised secrets (such as a personal identification number (PIN) and passwords) but also include swipe patterns such as those used to unlock mobile phones.
They do not include questions asked in order to associate an entity with entity information where no pre-arranged authenticator exists, such as knowledge-based questions based on information generated by the history of the relationship (for example, last purchase made).
Memorised secrets
Description
A memorised secret is a secret value that is intended to be chosen by and memorable to a person. Memorised secrets are generally made of letters, words and/or numbers but other options that use pictures or patterns also exist.
Examples
Personal Identification Numbers (PINs), passwords, pass phrases, combinations (as used in combination locks) and pattern locks (swipe and picture based).
Considerations
Memorised secrets are a common type of authenticator, however they are often:
forgotten, increasing administration costs
shared with other people, inadvertently or deliberately
written down
reused
guessed or surmised
discovered by trying many possibilities or combinations.
Memorised secrets can become known to a third party if they are communicated in any way that is not private to the 2 intended parties.
A memorised secret obtained by another person does not stop the authenticator holder from continuing to use it. Therefore, unauthorised use may not be detected and could continue until the secret is changed.
Authentication processes that use memorised secrets are easy to deploy, as special equipment or software isn’t required.
Memorised secrets are often used in conjunction with one-time code generators or cryptographic keys to provide multiple factors for authentication. See also:
One-time code generators
Cryptographic keys
Shared secrets
Description
Pre-arranged information (usually personal) assumed to be unknown by anyone other than the authenticator holder and the challenger.
Examples
Pre-registered security questions (for example, name of first pet).
A password or passphrase that is known to both parties.
A complex one-time password sent via a physical channel with tamper-evident seal, on first-time registration or later as a password reset. Usually accompanied by a request to change password on use.
Pre-registered categories of thing — such as dogs, cars, boats and flowers. Each time the person logs into the website they are presented with a randomly generated grid of images with alphanumeric characters overlaid on it. The person enters the alphanumeric characters associated with the pre-chosen categories to form a single-use access code. This is a rare example of a shared secret.
Considerations
Unchangeable information (for example, mother’s maiden name) loses value when it becomes known.
Information that changes over time (for example, pet’s name, favourite movie) is more difficult to remember.
The value of such information as an authenticator is degraded as more organisations collect it.
The information can often be easily discovered by an attacker through research or observation.
Where organisations use simple and/or repeated patterns as initial passwords they leave themselves open to hackers especially where the username is known, for example, email address. The window of opportunity exists between the creation of the user name up until the entity changes their password.
One-time passwords (OTPs)
Description
One-time passwords are not strictly something that is known. They are generally part of a response step to a challenge against something an entity possesses. Each password can only be used once and is distinct from any other password. This prevents some forms of identity theft by making sure a password cannot be used a second time.
Typically, the one-time password is used in conjunction with a user name and static password, and the one-time password changes with each logon. See:
One-time code generators
One-time code receivers
Something you have
‘Something you have’-type authenticators are challenges that test possession of a unique physical object, such as a bank or access card or mobile phone. The test can be on the physical presence of the object itself, or a code or identifier that is linked to the object, such as a code sent by short message service (SMS) to a mobile device, or a code displayed on a hardware token.
Document or card
Description
A physical document or card, often also containing information related to the entity. They may include security features to reduce the likelihood it could be tampered with or reproduced.
Examples
An access card, membership card, licence, or passport.
Considerations
Without some other aspect to them (for example, an image of the holder or PIN), they can easily be used by an entity other than the authenticator holder.
A lack of security features and/or the variety of documents and cards make it difficult for reliable detection of genuine items, without specialist training and scanning mechanisms.
Documents and cards often contain additional information not required for the purpose of authentication.
Recognisable device
Description
Like a document or card, it is now common for the possessed item to be a device.
Examples
Physical presentation of a mobile phone, RFID or NFC device.
Online interactions that use device characteristics, such as the MAC address or International Mobile Subscriber Identifier (IMSI), of a computer or mobile phone that has already been established as belonging to the authenticator holder. Known as device fingerprinting.
Considerations
Without some other aspect to them (for example, an image of the holder or PIN), they can easily be used by an entity other than the authenticator holder.
Without additional security features it is possible for a copy to be presented. See also, Cryptographic keys
Look-up codes
Description
A look-up code authenticator is a set of codes shared between the entity and the challenger. The codes can be stored physically or electronically. An entity uses the authenticator to look up the appropriate code needed to respond to a prompt from the challenger. Look-up codes are a type of one-time passwords.
Examples
A person is provided with a grid card made up of letters and numbers in rows and columns. On challenge they are given a grid reference and reply with a specific value from the card (sometimes called a ‘bingo’ or ‘battleship’ card) in table format.
An entity is issued a list of codes, each 1 can only be used once. Each time the entity authenticates they use the next item on the list.
Considerations
Challengers need to install compatible open source/standards based or proprietary software including the capability to manage grid-based mechanisms. For physical cards, secure processes are required to administer distribution, enrolment, replacement and deactivation.
Physical records have the same problems as written-down passwords — they may be copied or discovered and used without the authenticator holder’s knowledge. Loss of the set of codes is equivalent to the loss of a memorised secret.
Some types of look-up codes need to be re-issued on a regular basis, especially if the codes are used frequently.
One-time code generators
Description
A one-time code generator uses an obscured initial value on which a complex mathematical formula generates subsequent values on a device at either intervals (time-based) or on request (event-based). One-time code generators can be held on either a dedicated device (hardware token) or as software (software token) implemented on a non-dedicated device such as a mobile phone.
During authentication an entity is challenged to show they maintain possession and control of the device by returning the current code to the challenger. Returning the code can include manually entering a displayed code, some other means of transmission from a dedicated device, or by directly or indirectly using the software involved in the authentication process on a non-dedicated device. See also, Cryptographic keys
Examples
An entity has a dedicated device (hardware token) that displays (potentially on the push of a button) a code that changes every 30 seconds, which must be entered into a field in addition to a username and password.
A person has a dedicated USB key that they insert into their computer. When a button is pushed on the key, an OTP is passed following the entry of a username and password.
Considerations
Challengers need to install compatible open source/standards based or proprietary software including the capability to manage the cryptographic keys. For hardware tokens, secure processes are required to administer distribution, enrolment, replacement (especially for devices with an internal battery) and deactivation.
These are considered secure because they do not transmit data over a network.
A lost or broken hardware token could reduce the ability of an entity to authenticate until it can be replaced. If stolen it is noticeable and action can be taken.
The devices can be shared, however unlike shared secrets, the authenticator holder gives gives up their ability to authenticate, which can act as a deterrent to sharing.
Different services often require the authenticator holder to use a device or software specific to that service, resulting in entities having multiple devices and software they need to keep secure and manage.
One-time code receivers
Description
A one-time code receiver is a device that is uniquely addressable. The challenger can communicate securely with it by sending a code over a particular communications channel. The code is used via an authentication challenge to prove a person’s possession and control of the previously enrolled device.
The one-time code can be transmitted via a variety of communications channels, including SMS, a mobile app alert, an email, or automated voice call-back. The received code can be displayed on a device, read by the entity or heard by the entity. It can then be manually entered by the entity, or directly or indirectly used by the software involved in the authentication process on a non-dedicated device. The one-time codes received typically have an expiry period.
Examples
During an authenticated online session, a one-time code is sent from the challenger to a previously registered mobile phone using the text SMS. The code is entered into the online session in order to complete the authentication process.
During an authentication, the challenger triggers an app alert to the authenticator holder’s registered mobile application that is then used in this session.
A one-time password (for example, barcode or QR code) is displayed in the primary channel by the authentication process. This is then transferred to an out-of-band device for transmission to the challenger via a secondary channel.
Considerations
The ability to use a particular communications channel is dependent on the entity being able to access that channel option during the authentication session.
There will be advantages and disadvantages with any type of communication channel. There are also aspects to consider when the one-time code channel is distinct or not distinct from the authentication channel.
The design of some communication channels increases the likelihood of code interception (for example, store and forward design of email versus direct control of in-app alerts).
Some one-time code receivers (for example, smart phone or email inbox) may be shared by other parties.
The challenger needs to have the capability to initially enrol the channel and device, and manage subsequent changes and deactivation.
Cryptographic keys
Description
Cryptographic keys are very large, impossible to memorise numbers and mathematical operations, known as cryptographic algorithms. They come in 2 forms symmetric (single secret key held by both challenger and responder) and asymmetric (public/private key arrangement), the latter being more sophisticated. They can be stored on or securely embedded in a device.
Primarily a security feature to protect the transmission of messages by encryption. However, the successful decryption by the challenger also provides some assurance the responder has possession of the key, making it also ‘something you have’ for authentication purposes.
The algorithms within the keys are designed so that they can easily be performed by an entity in possession of the right keys but require anyone else to use huge amounts of computing capacity, making it impractical to break them.
Examples
A specific edition of a book that both the challenger and responder use to encrypt messages between them.
One-time code generator uses a symmetric key along with other data to generate a changing code that cannot be predicted without the shared secret.
Transport Layer Security (TLS) used to authenticate 2 people or devices to each other and encrypt all data exchanged between them.
Smart card or USB stick embedded with a cryptographic key that needs to be inserted in a reader, when an entity is required to authenticate.
Website using Public Key Infrastructure (PKI) certificates (asymmetric keys) to verify that services to which entities connect have not been spoofed.
Considerations
As with other ‘something you have’ factors, cryptographic keys must be kept secure and accessible only to the authenticator holder.
Many implementations of cryptographic keys are complicated, difficult to understand and difficult to use correctly.
It can be difficult to move cryptographic keys to new devices, or to recover the keys if they are lost or inaccessible. In either case the owner will need to authenticate using some other means and re-enrol new keys.
A cryptographic key can be strengthened by having “something you know” or “something you are” to unlock it, but this does not change the number of factors being received by the challenger.
Location
Description
A procedure to authenticate by detecting presence at a distinct location.
Examples
A document that can only be accessed at a single location, where the procedure to grant access is based on detecting an authorised person at an entrance.
Controlling access to a website based on an IP address, as seen when an entity is denied access to some YouTube content.
A person has a GPS locator in a phone, or the phone is triangulated by cellular towers, and this is used to grant access based on their presence at a specific location.
Considerations
Effective use of location as an authenticator requires the ability to usefully separate a location from another and to determine an entity’s proximity to that location. In doing so, also guard against any implication of location tracking outside the instance of authentication.
Something you are
‘Something you are’-type authenticators are challenges based on characteristics intrinsically linked to a person and can be either biological (as with fingerprints) or behavioural (as with typing patterns). Automated authentication based on this factor is commonly called biometric recognition.
Manual comparison
Description
This is making a physical comparison between a particular characteristic of a person and an image of that same characteristic.
Examples
A photograph, signature, or fingerprint.
Considerations
Comparison is a subjective process usually done using an image of insufficient size and detail for an accurate assessment to be made. Some characteristics require considerable training for comparison to be effective (for example, a fingerprint).
Biometric recognition
Description
Biometric recognition relies on physical or behavioural (or chemical) characteristics of a person. An initial sample is collected from a person and an extraction of features is made which are stored as a template.
In an authentication process, a new sample is taken, an extraction made and the result compared against the original template.
Extracted features and templates are discrete subsets of a person’s original biometric characteristic.
Examples
Examples of characteristics — physical (face, fingerprint or iris), behavioural (voice, keystroke, or gait), chemical (DNA, body odour, or body chemistry).
Examples of local recognition systems — SmartGate passport control at airports, fingerprint sensor to unlock a device, a device that verifies a fingerprint and provides the result to access an online service.
Example of remote recognition system — a video is taken of a person in a secure online session, where aspects of the image are compared with records on file before granting access.
Considerations
Biometric recognition systems are the most controversial authenticator types. They tend to be expensive, especially when full liveness testing is included. They re useful for their resistance to loss and cannot be easily lent.
Biometric comparison is probabilistic — it allows for false acceptance and false rejection. This is more likely to occur where anti-spoofing, degeneration and liveness checking are not included in the solution or where environmental factors impact the comparison.
Biometric characteristics are usually un-revocable if compromised (faces cannot be changed like passwords). While the extracted features (represented by a mathematical value, bespoke to the system it was created in) have a degree of security built into them, the original samples do not if they are retained.
Biometric recognition is an evolving technology — stability, speed, accuracy and standards are still changing frequently.
Multi-factor authentication (MFA)
Description
MFA is an authentication method that uses challenges and responses from 2 or more of the 3 types of authentication factor:
something you know (for example, a password)
something you have (for example, a smart phone)
something you are (for example, a fingerprint).
Note:
Using 2 types of the same factor is not multi-factor authentication. For example, a password and personal information are both ‘something you know’, so using them together would still be single-factor authentication.
Examples
Accessing a bank account through an automatic teller machine (ATM): the PIN (something you know) and the ATM card (something you have).
Accessing a building where a guard checks a person’s face against a stored image (something you are), the person also swipes an access card (something you have) and enters a 4-digit code (something you know).
Considerations
Multi-factor authentication increases the likelihood of being able to mitigate against a wide number of threats to the authentication process.
However, multi-factor authentication systems increase the cost of authentication both to the organisation and to the authenticator holder who need to use them. This cost may not be financial but could be in the form of convenience and usability.