Evolution of Authentication on the Internet - 5

Beyond SAML, OAuth and OIDC

The following discussion concludes the “Evolution of Authentication on the Internet“ series by discussing some authentication patterns and newer use cases not covered in the previous posts. Over the series of preceding posts, we introduced the concept of “Delegated Authorization”, outlined one of the first Single Sign-On (SSO) frameworks—SAML, and discussed OAuth and OIDC in detail.

A few generic concepts relevant to authentication systems are as follows:

Multi-Factor Authentication

Multi-Factor authentication requires users to present multiple types of authentication (>= 2). The most common MFA pattern implemented is the Two-Factor Authentication (2FA). MFA can be implemented in various ways:

1. SMS Token

2. Email Token

3. Hardware Token

4. Software Token

5. Phone Call

6. Biometric Verification

Enforcing MFA is the responsibility of the Identity Provider / Authorization Server.

Biometric Authentication

Biometric Authentication is not incorporated within the general standard flows for web applications. However Biometric Authentication is supported by the Identity Provider / Authorization Server independently. There are different standards and regulations around biometric data collection, which is considered out of scope for this document. Some useful references on the subject can be found here:

1. ISO/IEC 19794-7:2021 - Defines the data interchange formats, what data can be captured.

2. ISO/IEC 30107-1:2023 - Biometric Presentation Attack Detection.

3. ISO/IEC 24745:2022 - Biometric Template Protection

4. CBEFF - Common Biometric Exchange Formats Framework

5. Biometric Consortium

WebAuthn

The Web Authentication API (WebAuthn) is a specification developed by the World Wide Web Consortium (W3C) and the FIDO Alliance (Fast Identity Online), with participation from major technology companies. The WebAuthn API allows servers to register and authenticate users using public key cryptography instead of a password. When built into browsers and platforms, it creates a private-public keypair (known as credential), enabling passwordless authentication by connecting applications with string biometric authenticators like Windows Hello or Apple's Touch ID.

WebAuthn is being built as a Passwordless Authentication module which could fit into the the existing server authentication protocols. (How the user provides the password could evolve)

3 components:

1. WebAuthn Relying Party (Website/Application)

2. WebAuthn Client (Browser)

3. Authenticator (USB/Apple Touch Pad)

Risk Based Authentication

Risk basked authentication uses real time intelligence to gain a holistic view of the context behind each login. When a user attempts to sign in, a risk based authentication solution analyzes factors such as:

• Device

• Location

• Network

• Sensitivity

Based on all of these factors, the systems makes a decision. The user can either:

• Enter normally: The person uses a familiar system.

• Other proof: The person must provide some other form of verification to gain entry.

Supporting Risk based authentication falls under the design of the Identity Provider / Authorization server.

Continuous Authentication

As the name suggests, unlike traditional authentication where users login once , continuous authentication proposes assessing user behaviour patterns on an ongoing basis and forcing users to reauthenticate, often coupled with MFA and biometric authenticators on detecting suspicious activity. This is an advanced topic and has to be enforced by the Service Provider based on their definition of "suspicious activity".

Blockchain Based Authentication

The authentication modes discussed above are often referred as Web2 Authentication. Blockchain Based authentication addresses the use cases for Web3. In favour of brevity:

1. Web1 refers to the initial days of the Internet: Static Content, HTML, Early Browsers, Emergence of Search Engines, etc.

2. Web2 refers to the features that followed such as Centralised Models, Ad Monetization, user generated content via social media, ecommerce, enhanced interactiveness.

3. Web3 refers to next set of architecture/features such as Decentralisation, Blockchain Technology, User ownership and control, Cryptocurrencies, NFTs, etc. We are in the early days of Web3.

Authentication for Web3 would use Blockchain technology. This should be studied in an independent context :)