Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Current »

Download PDF

Secure accounts and services with an additional trusted authentication method

It’s no secret that passwords are deeply flawed; they are easy to forget, steal, guess and force. Yet, they are also accessible, cheap, portable, and easy to understand and implement.

Passwords remain the default method of authentication for a huge range of services, both at work and home. Their use continues to rise as more and more tools and services become digitalised with the average person needing to remember up to 100 passwords to access online accounts.   

Despite some researchers predicting that passwords would be obsolete by now, they are not going anywhere just yet. It is, however, now crucial to use an ADDITIONAL method of authentication to secure accounts and services.

Multi-factor authentication has become a common requirement used to secure accounts and according to Microsoft, using MFA blocks 99% of all password safety issues. If multi-factor authentication (MFA) is enabled on an account, you have to perform two or more steps to gain access to it. These may include entering your regular password plus a number that is sent via a text or email, a fingerprint or face scan or a verification process on an authenticator app.  

Using a password alone to secure an account or service that is accessible over the internet is simply not secure enough. By adding a second additional method of authentication, it is much more difficult for a criminal to do harm.

It is not, however, always necessary to have MFA enabled on every single service. Some authentication methods link the sign in of one account to the sign in of an existing trusted account where MFA is already in use. Whether signing in to an account directly or indirectly, the point of the login that makes it secure, is that MFA is required.

The following authentication methods are accepted by Cyber Essentials for accounts and services accessible over the internet.

  • Multi-factor authentication ( MFA)

  • OAuth 2.0

  • FIDO2

  • Magic links and one-time passwords

Each method varies in security and usability features, so it is important to consider which one might be most suitable and appropriate for your use.

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) is also known as 2-step verification (2SV) or two-factor authentication (2FA). Accounts that have been set up with MFA require the user to provide a second factor, which is something that only the user can access. The second factor can include:

  • PIN codes or a string of characters, often sent to the user via SMS or email

  • a security token that the user must physically connect to their device (such as via USB)

  • biometric details (such as a fingerprint scan, or facial recognition)

  • an app on a trusted device (such as those provided by Microsoft or Google)

 

Choosing the right factor

The most appropriate second factor to use during MFA implementation will depend upon the services your organisation offers, and your customer profile. For example, using a PIN code sent via SMS is the most widespread and well-understood second factor, but is not the most secure option. Providing your users with a choice of second factors will ensure you cover the widest customer base. For more information about implementing MFA (including detailed guidance on choosing authentication factors), go to the NCSC's guidance on Multi-factor authentication for online services.

The second factor used in MFA should not be mandated every time the service is used. This would soon become irritating for users. It should only be required whenever an activity that could have a high-impact is detected, such as:

  • transferring large amounts of money

  • changing passwords

  • changing account details (including updating/adding credit card details)

A second factor should also be required whenever suspicious account activity is detected, such as a login from a different device, or from a different part of the world than is normal for that user.

OAuth 2.0

If you pardon the not-so-catchy name, OAuth 2.0 or Open Authorisation 2.0 ( replacing OAuth 1.0 in 2012) is the de facto industry standard for online authorisation. It allows customers to sign in to a new service using their existing account with another, usually a well-known service provider (such as AppleFacebook or Google). This is often referred to as Single Sign On (SSO). The ability to 'Sign in with Apple' (or suchlike) removes the burden of having to create another account (and yet ANOTHER password) when logging into a new website. It must be noted that the Single Sign On account MUST have MFA enabled to be secure.

Not such good news, if a criminal accesses the OAuth provider’s account, then they'll have access to the services that use it for authentication. For this reason, the security posture of the OAuth should be considered, and only OAuth providers which demonstrate appropriate security should be selected. The NCSC's Cloud Security guidance includes advice to help you determine if a provider is 'secure enough' for your requirements.

You'll also need to consider the availability of OAuth providers; if their authentication server suffers an outage, your online service that relies on it will also be unavailable (as demonstrated in the 2021 Facebook outage).

As a web service provider, even if you offer a selection of OAuth providers, some users will not want to associate an existing account with your new service. For these users, you should offer an alternate authentication method.

Implementing OAuth

The following links describe how to implement OAuth 2.0 for major providers:

FIDO2

Fast Identy Online 2 or FIDO2 refers to a set of security standards that can be used to provide more secure alternatives to passwords for accessing online services. The FIDO2 standards define cryptographic authentication using public-key credentials and protocols which can negate the need for a password completely or be used as a second factor. FIDO2 authenticators can include a personal device such as a smartphone or laptop with a trusted platform module (TPM), or a physical USB key.

Most FIDO2 tokens are USB-based (such as Yubikeys). There is a variety of FIDO2 authentication tokens available to suit various needs and budgets. Most modern smartphone apps can support FIDO2 as they have biometrics built-in to authenticate the user to the device. FIDO2 grants authentication via a user action such as a press of a button, a PIN, or a biometric (such as fingerprint or facial recognition).

In the majority of cases, the user would be responsible for purchasing the token. A lost token means that a user would lose ability to authenticate to the service they’re trying to access, so they should register a backup (which means buying another token). Since relatively few services accept FIDO2, users may be reluctant to purchase tokens (given that there are cheaper, more widely-used forms of authentication). A lost token will need also need to be revoked, which requires the user to log into every service with the backup token.

Implementing FIDO2

The FIDO2 website contains information to help developers implement FIDO2 authentication. Since FIDO2 uses public key cryptography, developers should have experience of implementing cryptographic protocols (even if they don’t have experience implementing a FIDO2 login directly).

Magic links and one-time passwords

Magic links are a type of password-less login that allow users to log in by clicking a link that’s emailed to them (rather than typing in their username and password). Once the user clicks the link, they are granted access to the service.

One-time passwords (OTPs) are similar to magic links in that the user doesn't need to remember a password. Instead, users are sent (via SMS or email) a single-use password to log in with, or asked to generate one using an app. It is a good idea to provide users with a choice of options.

As with MFA, if a criminal has access to a user's phone they could access accounts associated with that phone number. Magic links and OTPs provide an easy user experience, with forgotten password no longer an issue (nor password breaches).

Implementing magic links

Read the full NCSC guidance about trusted authentication methods

© The IASME Consortium Ltd 2025 All rights reserved.

  • No labels