Guidance

Using authenticators to protect an online service

Updated 14 May 2020

© Crown copyright 2020

This publication is licensed under the terms of the Open 바카라 사이트 Licence v3.0 except where otherwise stated. To view this licence, visit or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at /government/publications/authentication-credentials-for-online-government-services/giving-users-access-to-online-services

You might need to know if someone has already used your service before you give them access to it. This is called 바카라 사이트˜authentication바카라 사이트™ and can be useful if users need to sign in to your service more than once.

This guidance will help you choose the 바카라 사이트˜authenticator바카라 사이트™ that will give you the level of protection that바카라 사이트™s right for your service.

An authenticator could be some information (like a password), a piece of software or a device.

You might also need to prove and verify a user바카라 사이트™s identity if your service gives them something valuable or lets them access personal information.

Different types of authenticator

There are different types of authenticators. An authenticator will usually be one of the following:

Sometimes an authenticator can fit into more than one of these categories.

Example A password is something the user knows. It바카라 사이트™s secure because no one apart from the user will know or be able to access it. If the user writes it down on a piece of paper, it will also become something the user has. The piece of paper is now the authenticator because it contains information that previously could not be known by anyone apart from the user.

Something the user knows

The most common way for users to sign in to a service is by entering a piece of information that only they know. This is called a 바카라 사이트˜secret바카라 사이트™.

A secret could be something like:

  • a PIN
  • a password
  • an answer to a question that only the user knows the answer to - also called knowledge-based verification (KBV)

A secret is one of the easiest ways for someone to sign in to a service, as a user does not need any special equipment or software to use it. But secrets can be easily:

  • stolen, for example from a phishing attack
  • guessed, for example if the password or PIN is low quality (like 바카라 사이트˜1234바카라 사이트™)
  • found out, for example if the answer to a KBV challenge is publicly available
  • shared

Read the National Cyber Security Centre바카라 사이트™s (NCSC바카라 사이트™s) guidance to find out .

You might need to use a different type of authenticator if you need to be more sure the user who바카라 사이트™s trying to sign in is the same person who created the account.

A secret is usually used with either:

  • another piece of information, such as a username or email address
  • a token, such as a chip and PIN card

Something the user has

A user might be able to sign in to a service using something called a 바카라 사이트˜token바카라 사이트™. A token can be something physical, like a chip and PIN card or a mobile phone.

Example A user can sign in to a service with a physical security key by inserting it into their computer or tapping it against their phone. This proves that someone is present when they바카라 사이트™re trying to sign in to a service.

A token can also be something digital, like a single use authentication code or a digital certificate.

Example When a user adds an electronic wallet app to their mobile phone, a digital certificate is created and stored securely within their phone. This digital certificate is the token. When a user pays for something using their phone, the bank checks the digital certificate. If the bank is sure the phone is the same device the user installed the app on, it will approve the transaction.

Using a token by itself might not be appropriate if your service needs a high level of protection. This is because tokens can be easily lost, stolen or shared.

A token can also be copied or tampered with if:

  • it does not have any security features
  • the security features it has have been badly designed

A token can only confirm that someone is there, which can help protect your service from being attacked by remote hackers. Unless you combine it with biometric information, you will not be sure that a token is being used by the same person that created the account.

But some tokens can contain information about:

  • the person that바카라 사이트™s using it to sign in to the service
  • the organisation that issued the token (for example a chip and PIN bank card will include the name of the bank that issued it)

Something the user is

A user might be able to sign in to a service using their biometric information. Biometric information is a measurement of someone바카라 사이트™s:

  • biological characteristics, such as their fingerprint
  • behavioural characteristics, such as their signature

Example A user can open an app or unlock their phone by looking at it.

The app or device uses facial recognition software to check the user looks like the person who created the account or registered the phone. If there바카라 사이트™s a match, the user can access the service.

Using biometric information means your service can easily tell if the user who바카라 사이트™s trying to sign in is the same person who created the account. This is because:

  • each person바카라 사이트™s biometric information is unique to them
  • it바카라 사이트™s difficult for biometric information to be forgotten, lost, stolen or guessed

Read the NCSC바카라 사이트™s guidance to find out more about .

There are some risks to using biometric information as an authenticator.

There바카라 사이트™s a small chance someone could try to impersonate another user by recreating their biometric information. For example, they could:

  • hold up a photo of the user
  • wear prosthetics or a mask to make themselves look like the user
  • play a recording of the user바카라 사이트™s voice
  • use a copy of the user바카라 사이트™s fingerprint

Some types of biometric information will be easier to recreate than others.

These are called 바카라 사이트˜presentation바카라 사이트™ or 바카라 사이트˜spoofing바카라 사이트™ attacks. Although attacks can be detected by the system that바카라 사이트™s used to capture biometric information, there바카라 사이트™s always a risk a fraudster could successfully sign in to a service this way.

It바카라 사이트™s also possible that the system can make a mistake when it바카라 사이트™s matching someone바카라 사이트™s biometric information. It could either:

  • wrongly match a user to another person (called a 바카라 사이트˜false match바카라 사이트™)
  • not be able to match a user to anyone, even though a record of their biometric information exists (called a 바카라 사이트˜false non-match바카라 사이트™)

It바카라 사이트™s easier to make these mistakes when matching some types of biometric information than others. You can lower these risks by asking users to use another authenticator as well as their biometric information.

2 factor authentication

You can protect your service using a combination of 2 authenticators. This is called 바카라 사이트˜2 factor authentication바카라 사이트™ (2FA). It helps protect your service against some of the risks that come from using just one type of authenticator.

Example A user can sign in to a social media account using a username and password (something they know) and an authentication code sent to their mobile phone (something they have).

If a user could sign in without the code, there바카라 사이트™s a risk that someone else could guess or steal their password to access their account. Using an authentication code as another authenticator means that, even with the password, a fraudster would still not be able to access the account.

It바카라 사이트™s important that you use 2 different types of authenticator. A fraudster who바카라 사이트™s able to compromise one authenticator is likely to be able to compromise another of the same type using a similar method.

Example A fraudster can guess both a user바카라 사이트™s password and their PIN. This is because they바카라 사이트™re both the same type of authenticator (a secret). Fraudsters know users will often use personal information, such as their date of birth, to create them.

You can choose to protect your service using more than 2 authenticators. This is called 바카라 사이트˜multi factor authentication바카라 사이트™. If you do this, you should be aware that it can have an impact on the usability and cost of your service.

The quality of an authenticator

An authenticator can be low, medium or high quality. The quality of an authenticator will depend on how secure it is.

The most secure authenticators have a strong link to the user. This means it바카라 사이트™s difficult for someone other than the user who created the account to guess, copy or make changes to the authenticator.

High quality authenticators are also protected against 바카라 사이트˜large scale바카라 사이트™ attacks. These are automated attacks that use large databases of stolen or weak authenticators to try to break into users바카라 사이트™ accounts.

The quality of an authenticator will depend on how it was:

  • created by a user (or a manufacturer if it바카라 사이트™s something like a physical token)
  • managed (including how the authenticator is issued and updated, and what happens when it바카라 사이트™s no longer being used)
  • captured (if it바카라 사이트™s biometric information)

Some types (or 바카라 사이트˜modalities바카라 사이트™) of biometric information are higher quality than others. Read the NCSC바카라 사이트™s guidance to find out how to .

Low quality authenticators

A secret is low quality if it바카라 사이트™s one of the following:

  • a password
  • a PIN
  • a KBV challenge based on information that does not change over time (known as 바카라 사이트˜static바카라 사이트™ information)

A token is low quality if you do not know how it was created or issued. This is because there could be a risk it was tampered with or issued to someone who should not have it.

Biometric information is low quality if you do not know how it was captured or processed. Using low quality biometric information might mean your service is at risk of .

For example, if your service is checking a facial biometric, you might be at risk of attack if you let a user upload a photo that they previously took of themselves. This is because a fraudster could use a photo of the user that they found on social media. It would be more secure to use 바카라 사이트˜live capture바카라 사이트™, which involves asking the user to take a photo on their webcam or phone and upload it as they use your service.

Using low quality biometric information could also stop you from doing an accurate biometric comparison, which means you might not be able to match the right person to a record.

Medium quality authenticators

A secret is medium quality if it바카라 사이트™s either:

  • automatically created and securely stored (for example in a password manager)
  • a KBV challenge based on information that changes over time (known as 바카라 사이트˜dynamic바카라 사이트™ information)

A token is medium quality if you know tokens are created in a way that stops them from being:

  • tampered with
  • issued to the wrong person

You can find this out from the manufacturer or supplier of the token. For example, a manufacturer might have published a report or white paper that documents how the token was created.

Biometric information is medium quality if you know the system that captured it when the user created an account can detect spoofing or presentation attacks. You can find this out from the manufacturer. For example, they might have published a report or white paper that describes how the system detects presentation attacks.

High quality authenticators

An authenticator is high quality if it could not belong to anyone other than the user who created the account. A secret cannot be a high quality authenticator because it바카라 사이트™s easy for someone to steal, guess or copy.

A token is high quality if it has been independently tested to prove it meets industry standards, such as the , or .

Biometric information is high quality if the system or process used to capture it has been independently tested to check if it meets industry standards, such as or .

This will prove that the technology can protect your service from spoofing or presentation attacks.

Choosing an authenticator

An authenticator can protect your service from being accessed by someone who should not be able to use it. How much protection your service needs depends on:

  • what information the user needs to use the service
  • what information the service gives the user access to
  • what the service or user can do with that information

When choosing an authenticator, you should also think about how much risk your service can accept. You should do a risk assessment if you do not already know this.

Read the guidance about making sure your online service is safe and secure to find out how to do a risk assessment.

You get different levels of protection by using different authenticators or combinations of authenticators.

Some authenticators might be easier to use than others. You should make it easy for users to access your service, but also make sure you choose an authenticator that gives you the level of protection you need.

Some users might struggle to use an authenticator that others find easy to use. For example, accessing an app using a fingerprint can be easy for a lot of users, but it would be very difficult for someone who has lost the use of their hands.

You should think about the types of people your users are when you choose an authenticator. Make sure there바카라 사이트™s more than one way they can sign in to your service. All options should give your service the same level of protection.

Some users might not be able to access your service online. If there are other ways to access your service, you should make sure they have a similar level of protection.

Low protection

You might need low protection if the information that바카라 사이트™s shared between the user and your service cannot be used to:

  • get anything valuable
  • do any harm to the user if it바카라 사이트™s seen by someone else

You바카라 사이트™ll have low protection if you protect your service with any low quality authenticator.

Example A wifi network in a public place can usually be accessed with an email address and a password (something the user knows). The service does not need to be protected by a more secure authenticator than this because it only gives users access to the internet. If a user had unauthorised access to the network, it바카라 사이트™s unlikely they바카라 사이트™d be able to use any information they get from the service to do any harm.

Medium protection

Your service might need medium protection if it gives users access to sensitive information.

Medium protection means your service knows:

  • the authenticator is being used by the person who created the account
  • any information (such as bank data in a chip and PIN card) is securely stored in the authenticator and has not been tampered with

You바카라 사이트™ll have medium protection if you protect your service with 2FA. Use 2 different authenticators from the following list:

  • a low or medium quality secret
  • a low or medium quality token
  • low or medium quality biometric information

Example A user will usually need to use 2FA to sign in to their email account. They might need to enter:

  • their email address and password (something the user knows)
  • an authentication code that has been sent to their mobile phone (something the user has)

The service is protected by 2FA because it gives users access to emails. These could include sensitive information from their doctor, bank or family.

High protection

Your service might need high protection if it lets users access information that could be used to cause harm. This could be to another user, service or organisation.

If your service has high protection, you can be sure that the authenticators will not be used by anyone apart from the user who created the account.

You바카라 사이트™ll have high protection if you protect your service with 2FA that uses a medium quality authenticator and a high quality authenticator.

Example A user can access their online bank account using a fingerprint (something they are) to sign in to an app on their phone (something they have). They will only be able to sign in if the app can confirm the fingerprint and phone belong to the same user that created the account.

The fingerprint is a high quality authenticator. This is because it has been captured by a system with a documented process for capturing and checking biometric information.

Very high protection

Your service might need very high protection if it lets users access information that could be used to cause significant harm. This could be to another person, service or organisation. You should use it if the information your service keeps is more sensitive than information kept by a service with high protection.

You바카라 사이트™ll have very high protection if you protect your service with 2FA that uses a high quality token and high quality biometric information.

Very high protection gives you more confidence that the authenticators will not be used by anyone apart from the user who created the account.

This is because you바카라 사이트™re using 2 high quality authenticators, which will have been protected from being attacked when they were created or issued. You바카라 사이트™ll be sure that any information stored in the authenticator cannot be changed by someone other than the user or the organisation that issued it.

Example Some organisations might need access to sensitive or personal information about their customers. To do this, employees could use a combination of:

  • a certificate-based smart card (something the user has)
  • their fingerprint (something the user is)

These are 2 high quality authenticators. The smart card is protected by cryptographic security features which means it바카라 사이트™s difficult for someone to copy or tamper with it. A fingerprint is unique to that user and will be stored in the chip in the smart card.

The service needs high protection because it gives employees access to sensitive information. If someone other than an employee managed to sign in to this service, they could use the information to do harm to a customer. This could also cause damage to the organisation바카라 사이트™s reputation by showing that their process is not secure.

If an authenticator has been forgotten, lost or stolen

You should give users a way to access your service if their authenticator has been forgotten, lost or stolen. You must make sure that the person you give the replacement authenticator to is the same user who first created the account.

You can do this by using either:

  • information that you know was given to the user when they set up the account (such as a backup or recovery code)
  • contact details that you know belong to the person who set up the account (such as their email address or phone number)

Example A user has forgotten their password but still has access to the email address they used to set up their account. A service can use this email address to send them a link to a page that tells them how to reset their password.

You might need to be more confident that the user is the same person who created the account if all of their authenticators have been forgotten, lost or stolen. You should do the same checks you would do to make sure an identity belongs to the person who바카라 사이트™s claiming it.

Example Some social media websites ask a user to upload an image of a piece of evidence if that user has lost access to their account.

They check the photo and information on the evidence match the details from the user바카라 사이트™s account. If there바카라 사이트™s a match, they바카라 사이트™ll know that the user is the same person who set up the account and can let them sign back in.

If an authenticator has been revoked

You might need to temporarily stop a user accessing your service if you think their authenticator has been compromised.

You must:

  • ask the user to use a new or different authenticator, if it바카라 사이트™s a secret
  • cancel (or 바카라 사이트˜revoke바카라 사이트™) the authenticator and issue a new one, if it바카라 사이트™s a token

As biometric information is a measurement of someone바카라 사이트™s biological or behavioural characteristics, you will not be able to revoke it or issue a replacement authenticator if it바카라 사이트™s compromised.

Monitoring how users use your service

As well as making sure you give the right users access to your service, you should also look out for any unusual activity once they바카라 사이트™ve signed in. This is called 바카라 사이트˜transaction monitoring바카라 사이트™ and will help keep your service and your users바카라 사이트™ data secure.

For example, it can protect your service from 바카라 사이트˜authenticator stuffing바카라 사이트™. This is when a large number of usernames and passwords taken from compromised websites are automatically used to try to get access to a service.

You should look at who바카라 사이트™s signing in to your service and look for information like:

  • their name or another identifier (such as their username or email address)
  • their IP address, to find out where they are
  • what device they바카라 사이트™re using
Back to top