Adopt and Adapt: How to Get Authentication Right

April 8, 2021

The authentication factors that help drive max security


  • No matter your industry, your users are your most important asset. But without effective authentication, these assets can present a security risk to your apps and services.
  • High assurance authentication factors give you the best chance of shutting down security threats. Focus on biometrics, WebAuthn/FIDO2.0 and mobile apps with push notifications.
  • Avoid passwords, security questions and OTPs delivered through SMS, voice and emails.


Enter NIST. The National Institute of Standards and Technology sets security compliance standards for US government agencies, organizations that handle government data and companies who supply the federal government with products and services. Even if you don’t need to comply with NIST, its publications offer best-practice policy guidance that helps your business get security right.


When it comes to authentication, NIST recommends that companies analyze their risk profile. Consider the harm that could arise if an attacker gains access to your system. If there’s a high risk of financial or reputational damage, compromised personal safety, release of sensitive information, harm to public interests or civil or criminal violations, you need to implement multi-factor authentication (MFA) – and the factors you choose must verify with strong assurance that only the right people can access the right resources.


Not all authentication factors are created equal, however. Each offers a different degree of usability and confidence in validating a user’s identity. We’ll lay out the most common factors and highlight the ones to implement for maximum security and NIST compliance.



Low Assurance Factors

While low assurance authentication factors are easy to deploy and use, they offer weak resistance to account takeover. They might be suitable to use in low-risk situations – like when using an app that doesn’t hold sensitive information – but we recommend prioritizing other authentication methods over these.


  • Passwords: Poor security behaviors like using common passwords or reusing them across accounts are all too frequent, and attackers have proven they can obtain passwords easily via phishing scams or other such attacks. They’re also not quite as convenient to manage as you’d think – users tend to forget passwords when the requirements are too complex (just ask your helpdesk) and they can be tricky to type out on mobile devices. Overall, they’re more trouble than they’re worth.

  • Security questions: Users tend to set answers that are open for others to guess or discover, and they’re prone to forgetting the answers to more particular questions. Security answers are also vulnerable to social engineering and phishing campaigns, so it’s best to look beyond them.

  • SMS, voice and email one-time passwords (OTPs): Many consumer apps use OTPs as a form of account verification, so this method provides a familiar experience that’s easy to deploy. Still, SMS and voice rely on the security of the user’s phone and internet service provider, leaving these factors open to social engineering tactics like SIM swapping. And email-based spoofing is difficult to detect thanks to the limited implementation of email authentication protocols.



Medium Assurance Factors

These factors provide a balance of usability and security, with some drawbacks to keep in mind. Consider implementing them along with factors that offer even stronger assurance.


  • Mobile and desktop OTP apps: Apps like Google Authenticator and Duo are easy for people to install and don’t depend on an internet or data service. They use crypto-based security and generate OTPs via algorithms: a more secure method of delivery than SMS, voice, or email. That said, OTP apps can work against users if their devices are ever stolen, and they’re open to real-time man-in-the-middle attacks.

  • Physical OTP tokens: Hard tokens such as YubiKey also generate codes algorithmically, making them hard to hack. While they don’t require using personal devices or internet connections, they’re relatively easy to misplace. This contributes to a high cost of deployment and provisioning. Therefore, it’s sensible to deploy them selectively and with a backup option in mind.



High Assurance Factors

These factors offer the strongest assurance that only authorized users can access your system.


  • Mobile app push notifications: Low costs, algorithmic generation, accessibility for users and support for biometrics: push-based authentication apps offer solid benefits. Still, they can be subject to man-in-the-middle attacks. Some apps may also require the use of personal mobile devices, which can’t be enforced in some regions and which may cause users to raise privacy concerns.

  • WebAuthn/FIDO2.0: While WebAuthn only applies to web-based authentication, its use of public key cryptography provides robust threat resistance and allows for better user experiences – it supports biometric authentication and puts organizations on a path to going passwordless. WebAuthn may require the purchase of new hardware, and it might not be widely adopted yet, but the high assurance it provides is a worthy investment.

  • Biometrics: These identifiers are unique to each user and include factors like voice, fingerprints, DNA and facial recognition. The specificity of biometrics to each user provides high confidence of a genuine login and contributes to frictionless user experiences – scanning a fingerprint, for instance, is much quicker and less prone to compromise than typing and storing a password.


No method of authentication is a silver bullet against all threats, but by combining several high assurance factors, you stand the best chance of mitigating risks and keeping your organization safe. A mix of biometrics, WebAuthn, push mode authentication and various OTP methods will bring your business in line with NIST standards, with even more possibilities on the horizon.


You can experiment with these factors to eliminate passwords altogether, and as open standards develop, continuous authentication may soon be your next best option. As the security landscape continues to evolve, get ready to authenticate with ease.

Swaroop Sham
Senior Product Marketing Manager, Security | Okta
Swaroop Sham is a Senior Product Marketing Manager for Security at Okta. His main focus areas include multi-factor authentication, adaptive authentication, and security integrations. He recently joined Okta, bringing with him over 10 years of experience in cybersecurity. He previously worked at Sift Science, Proofpoint, FireEye and F5 Networks. Swaroop has Masters and Bachelors degrees in Computer Science.