An essential element for ensuring security is the choice of authentication method. Here's a guide to help you select the best approach for your mobile application.

Before diving into the details, let's answer an important question: What is multi-factor authentication?

We often hear about two-factor authentication (2FA) or multi-factor authentication (MFA), but what does that actually mean? These are methods for securing accounts. 2FA, which is now mandatory on most applications, uses two factors to verify a user's identity, such as a password and a code sent via SMS. MFA includes 2FA but can also use more than two factors, like a fingerprint in addition to a password and an SMS code, for example.

Now that we understand the concept, how do we choose the right authentication method for our application? Let's follow these five steps to achieve that!

1. Assess Security Needs:

The first step in choosing an authentication method is to conduct a privacy impact assessment. Since the introduction of Law 25, it's now crucial to go through this step when developing or redesigning an application if personal information is involved. The more sensitive the data, the more robust the authentication methods should be. Nowadays, as soon as an application collects personal information—even if it's just an email address—two-factor authentication should be standard.

2. Consider User Experience:

Let's be honest: multi-factor authentication involves an extra step, which can introduce potential friction. However, choosing a more robust authentication method shouldn't compromise the user experience. To minimize this friction, it's essential to choose a method that combines security and ease of use. For example, biometric authentication like fingerprints or facial recognition is more seamless but can be costly and complex to implement. It's advisable to use existing solutions like Auth0 to manage these aspects.

3. Choose Among Common MFA Methods

When selecting an authentication method, various MFA categories are available to offer enhanced security. MFA relies on combining multiple factors, grouped into three main categories:

What We Know (Knowledge):

• • Password: Traditional but vulnerable if poorly managed. Initially, the recommendation was to use complex passwords and change them regularly. Nowadays, with all the systems we use daily, a password manager is the best solution.
  • Security Questions: Used as a supplement, but questions must be carefully chosen to avoid being easily guessable.
  • PIN Code: Simple but should be combined with another method for increased security.

What We Have (Possession):

• • OTP Generated by a Smartphone App: Secure and effective when used alongside a password.
  • OTP Sent via SMS or Email: Convenient but vulnerable to interception, better suited for applications requiring moderate security. Note that SMS authentication is less secure than email authentication due to additional attack vectors like SIM swapping or SIM jacking.
  • One-Time Password (OTP): A unique code that combines knowledge (the user knows the code) and possession (the user must have the device to receive the code).
  • Push Authentication: A mobile-centric security method where the service provider sends a notification to the user via the most secure communication channel available. The user confirms their identity by responding to the notification to access the service. This method primarily relies on the user's possession of the device.

What We Are (Inherence):

• • Fingerprints and Facial Recognition: Increasingly popular, they offer a good balance between security and convenience. A common misconception is that biometric authentication requires sharing biometric information with the system provider (mobile app, website, etc.). However, this is rarely the case! Biometric authentication is usually used only to unlock a local vault that contains the secret value used for authentication.
  • Behavioral Analysis: An emerging method that monitors user habits to detect unusual behaviors.

By combining at least two of these three categories, you can develop an authentication approach that balances security and user-friendliness, offering protection tailored to your application's specific needs.

An emerging trend not covered in the previous methods is passkeys. They are an alternative to passwords, offering both increased security and simplicity. With a passkey, you can log into applications and websites using a biometric sensor (like a fingerprint or facial recognition), a code, or a pattern.

Passkeys can also replace additional authentication steps like codes sent via SMS and offer strong protection against phishing attacks, eliminating the hassles associated with passwords and temporary codes. However, it's important to note that this technology can make you dependent on a particular ecosystem like Apple, Google, or Microsoft.

4. Regulatory Compliance:

Before choosing an authentication method, verify which specific standards your application must comply with. In Canada, the use of multi-factor authentication (MFA) is strongly recommended, especially to protect sensitive information and critical infrastructures. While MFA isn't always a general legal requirement, certain regulations and industry standards mandate or recommend its use. For example, in the financial sector, MFA is often required for online transactions and access to critical systems due to high risks of cyberattacks.

5. Consider the Costs:

Cost is an important factor when choosing an authentication method. Some methods, like biometric solutions, can be more expensive to implement and maintain due to infrastructure and technical support needs. Other methods, such as password authentication or magic links, may be more economical but don't offer the same level of security.

Be prepared: adding an extra step to the authentication process will require additional customer support efforts. You should also allocate time and resources for customer service management when the phone number associated with the account changes, the secret code is lost, or the email address is no longer accessible.

Choosing the authentication method for your mobile application must balance security, user experience, compliance, and costs. A flexible approach that allows you to adapt or combine multiple authentication methods is often the most effective way to meet your application's specific needs. By considering recommendations and best practices, you can offer your users a secure and frictionless experience while protecting their data and your application from potential threats.