As more elements of our day to day lives continue to be translated into online activity within the metaverse, and as the flow between digital platforms becomes increasingly organic and seamless, the need for swift and frictionless authentication is more important than ever.
So, what exactly is user authentication? Why is it important - and, as Web 3.0 continues to develop, what does the future hold for the security of our activities and transactions?
Any activity that may reveal our identifiable personal or financial data to other users - and therefore to potential fraudsters - must be carefully protected.
To that end, “user authentication” is implemented by most sites, apps and platforms that handle data of this kind.
The term refers to methods whereby a visitor to a site or platform, or the user of an app, must prove their identity and their right to carry out certain activity or transactions within that resource before they may proceed. It is a means to prevent fraud.
So, what are the most common methods of user authentication, and how are they changing as the metaverse develops?
Passwords are perhaps the most basic of authentication methods. They are also among the most risky, as they require users to decide on a series of letters, numbers and symbols that will not be guessed by any other entity.
They may be written down and lost or accidentally revealed - and, with so many different passwords required for multiple sites and platforms, many users resort to using the same phrase for each one, which means that a single data breach could be disastrous for them.
While many businesses that require the use of passwords by their employees now implement regular password expiry to protect against these risks, this comes with issues of its own.
In general, passwords are becoming less and less popular as a method of authenticating identity.
This form of authentication requires an individual signing in to undertake a further “step” in order to prove their identity.
For example, they may enter a username and password to pass the first stage, but the site, app or platform may then generate a code which is sent to a designated email address or mobile device associated with their account. The user then has to enter that code into a particular field in order to gain access.
While this approach is generally more secure than a basic password, many fraudsters will already have access to their victim’s email account - rendering certain types of multi-factor authentication useless.
What is more, this method includes an additional friction point, which makes it less user-friendly and potentially frustrating.
This type of authentication includes the likes of fingerprint and facial recognition, which means that a user need only touch a sensor or raise the screen of their device to their face to gain access.
This has become a very popular method in recent times, particularly with phone manufacturers. It is also considered by many to be the safest and most secure method of authentication due to its accuracy.
However, breaches of biometric data are still possible - which means that this technique is not foolproof.
Token-based authentication is a method that allows a slightly more seamless experience.
The user is required to enter some information - i.e. a password, username etc, to generate a digitally encrypted “token”, which then allows them to utilise a certain app, platform or site until a certain time period has passed, or until they log out or exit the system.
The token may be:
- a device such as a USB or a smart card that is connected to the machine being used
- a wearable or carriable item that uses contactless technology and need only be placed near to the machine
- a software token
In most cases, the user must enter a single password and username when initially logging into the system with an encrypted token - but, once they have done this, they are able to browse and utilise different sites, platforms and apps without having to enter log in details.
Once their session is finished, the machine-generated token is destroyed - meaning it cannot be stolen or replicated. A new token is generated when the user next logs in.
This form of authentication involves the creation of temporary cryptographic “keys” in order to allow authorised parties access to a particular resource.
The process works in this way:
- Cryptographic “keys” are generated by way of asymmetric encryption and assigned to each authorised user
- These keys are then “stored” in every secure system to which the user may require access in the future
- When the user requests access to any of these systems, the server they are using will request that the user apply their private key as a method of authentication - for example, by providing an encrypted code. The private key may then be used to unencrypt the code and enable the user to access the system
“With no need to remember and enter complicated and insecure passwords, “frictionless”, password-free login methods appear to be the way of the future,” comments Ruban Selvanayagam of UK buying firm Property Solvers who have been investigating how to deploy cryptography and blockchain technology into the real estate industry.
From user “behaviour” analysis to asymmetric encryption, we can expect the authentication experience to flow more and more easily as the metaverse develops. All changes to the “login” process are likely to follow this pattern throughout the foreseeable future.