- Home
- Alerts & Advisories
- Advisories
- Choosing the Right Authentication Methods
Choosing the Right Authentication Methods
8 July 2025
In this age of rapid digitalisation, attackers are actively targeting weak or misconfigured authentication systems.
Background
As more services move online and cyber threats become increasingly sophisticated, attackers are actively targeting weak or misconfigured authentication systems. This advisory aims to help organisations and users make informed decisions when selecting authentication methods. By understanding the strengths, trade-offs, and suitability of the methods available, stakeholders can better protect their systems and reduce the risk of account compromise.There are several methods available to keep online accounts secure. Each method offers a different balance of security, convenience and user suitability.
Types of Authentication
1. Multi-Factor Authentication (MFA)
MFA adds an extra layer of security by requiring more than just a password — such as a code sent to your phone or an app-generated verification number. Some common examples include apps such as Google Authenticator and Microsoft Authenticator.
MFA is appropriate when:
Security is more important than convenience or speed.
Users are happy to provide a second method of contact, like a phone number or email.
Users are confident using mobile devices and can recognise unusual requests.
The service can offer multiple ways to verify identity.
MFA is less appropriate when:
Ease of use and quick access are more important than strong security.
Users prefer not to give out contact information.
Users are less comfortable with mobile technology or authentication messages.
2. Federated Single Sign-On (SSO) via OIDC
Federated SSO (often seen as “Sign in with Google” or “Sign in with Apple”) allows users to log in using an existing account from a trusted provider, instead of creating a new one. It uses a protocol called OpenID Connect (OIDC).
Benefits:
Users do not need to remember new passwords.
Your account benefits from the existing security measures of the trusted provider, such as MFA or suspicious activity blocking.
OIDC is appropriate when:
Ease of use is a high priority.
You trust the identity provider’s security and availability.
Users are comfortable with the provider knowing they use your service.
OIDC is less appropriate when:
Strong, independent control over account security is required.
Users want to keep their use of your service private from the identity provider.
Your service has higher availability or security standards than the identity provider.
You cannot tolerate service outages from the identity provider.
3. FIDO2
FIDO2 is a newer standard that allows passwordless authentication using hardware tokens or biometrics (like fingerprint or face recognition).
FIDO2 is appropriate when:
Strong security is more important than ease of use.
Users understand and value the need for high-level security.
You can provide users with the needed device or token, rather than relying on them to buy their own.
You can manage account recovery when users lose their access tokens.
FIDO2 is less appropriate when:
User convenience is as important as security.
Users do not see the need for high security and resist using second factors.
Users do not own or want to purchase smartphones or security tokens.
You need immediate account recovery if a token is lost.
4. Magic Links and One-Time Passwords (OTPs)
These methods send a link or temporary code to your email or phone number that you use to sign in, usually for one-time or session-based access.
Magic links and OTPs are appropriate when:
Security is not the main concern, and user convenience matters just as much.
Users are willing to provide an email or phone number.
Users are comfortable using mobile devices and can recognise suspicious requests.
Magic links and OTPs are less appropriate when:
High security is required, and mobile or email systems may not be secure enough.
Users do not want to give out contact information.
Users may struggle to identify legitimate authentication messages.
Conclusion
Choosing the right authentication method depends on balancing security needs with user experience. MFA and FIDO2 offer strong protection but may be less convenient. Federated SSO via OIDC simplifies login but relies on third-party providers. Magic links and OTPs provide ease of use but are best suited for lower-risk scenarios. Understanding your needs, your threat environment, and your service requirements is key to selecting the most appropriate method of authentication.
References: