Issues with Authentication Services
Depending on its purpose, an authentication service needs to satisfy different requirements. Today we are going to explore common authentication services. We’ll bring out some problems and challenges they solve.
We compare the features of a few authentication services. For comparison criterias, we chose NSTIC (National Strategy for Trusted Identities) as a base for the categories. NSTIC is the most generic framework we found. It is also relatively new and well-defined.
We chose the following services for comparison:
1. Lloyds bank web bank account
Large, well-known bank that provides a dongle-based authentication system.
2. Google Identity services
The most commonly used OpenID Connect platform.
3. MobileConnect service
Flexible mobile signature service specified by GSMA.
4. Mobile ID service
Mobile ID is Methics’ most comprehensive mobile signature solution.
Now let’s see what authentication requirements these services satisfy.
Anonymous authentication does not expose the user’s identity but only some identity attributes, like age.
Pseudonym can be linked to a real identity in another system. Pseudonym guarantees that the user is the same as previously.
Distributed control means that the control of the identity can be shared between multiple organizations. In MobileConnect and Mobile ID, the operator, or a bank registers users. There can be several connected operators and banks in a single authentication service.
Two-factor authentication, secure login and unique identity seem to be commodities. Lloyds bank and google can create unique identities because they control the whole authentication service. MobileConnect and Mobile ID identify users based on the mobile phone number which is unique for each user.
Proof of identity means that we are sure about the user’s identity. The identity can be proven by verifying the registrat in person (face-to-face registration).
Legal signature means that a third party can verify the signature by using well-known standard methods. Mobile ID uses PKI to allow strong authentication.
Transaction approval means that a third party can verify a transaction.
OpenID Connect is a common authentication standard supported by Google Identity, MobileConnect and Mobile ID.
MobileConnect is standardized by GSMA and Mobile ID by ETSI.
Cost-effectivity and ease of use
Quick on-screen user experience means that the service does not require a lot of user interaction.
Fast authentication means that the actual authentication communication and process happens quickly.
An acquiring service connects web services (e.g. login pages) to authentication services. Interconnection between acquirers means connecting multiple acquiring services together. Interconnected acquirers can locate the user in connected authentication services. A web service only has to connect to one of the acquiring services in order to authenticate a user.
MobileConnect and Mobile ID are interconnected in Kiuru solution using MSS Roaming. Interconnection is not specified in the MobileConnect specification but can be implemented with MSS Roaming.