Based on open standards from the FIDO (Fast IDentity Online) Alliance, FIDO2/WebAuthn is a phishing-resistant, passwordless multi-factor authentication (MFA) method that enables password-only logins to be replaced with secure and fast login experiences across websites and apps.

SurePassID Authentication Server turns any mobile device – BYOD or issued – into a universal authenticator for fast, frictionless MFA. With a single tap, users can verify their identity and begin securely accessing resources. Alternatively, users can easily deny unrecognized login attempts and prevent bad actors from unauthorized access. Best of all, push authentication is highly secure as an MFA out-of-band and anti-replay attack method.

One time passwords (OTPs) are an authentication method used as part of two-factor authentication (2FA) and multi-factor authentication (MFA):

• Something you know (Username/Password); and
• Something you have (One Time Password)

OTPs are unique passwords that are only valid for a single login session for a defined period of time. OTPs are generated via the open standard OATH HOTP (event-based) or TOTP (time-based) algorithm. A variety of user authenticators can be used to generate OTPs, or they can be generated separately and sent to users via SMS, IVR, email or other means.

Mobile devices with SMS text capability can be used for authentication via One Time Password (OTP) and Challenge/Response (CR or Y/N). This is a less-secure form of strong authentication because it is vulnerable to man-in-the-middle attacks.

• SMS OTP sends an OTP to the user’s phone via SMS. The user enters the OTP into their login authentication and is approved.
• SMS Challenge-Response sends a question asking if the authorization attempt is approved to the user’s phone via SMS. If the user texts back “Yes”, authentication is completed and the user is logged in. If the user texts back “No”, authentication is failed and the user is not logged in.

For organizations requiring compliance with any NIST-based regulatory regime, SMS OTP is no longer a compliant authentication method due to its vulnerability to man-in-the-middle (MITM) attacks.

Mobile phones can be used for authentication via One Time Password (OTP) or Challenge-Response (CR or Y/N) delivered via Interactive Voice Response (IVR). This is a less-secure form of strong authentication because it is vulnerable to man-in-the-middle (MITM) attacks.

• IVR OTP places a voice call to the user, who listens to the OTP. Then the user enters the OTP into their login authentication and is approved.
• IVR Challenge-Response places a voice call to the user, who listens to a question asking if the authorization attempt is approved. If the user replies “Yes”, authentication is completed and the user is logged in. If the user replies “No”, authentication is failed and the user is not logged in.

For organizations with visually-impaired users, IVR Challenge/Response enables compliance with the Americans with Disabilities Act (ADA). However, IVR authentication is not compliant with NIST-based regulatory regimes due to its security vulnerability.