Multifactor Authentication Methods: A Framework for Their Comparison and Selection

There are multiple techniques for users to authenticate themselves in software applications, such as text passwords, smart cards, and biometrics. Two or more of these techniques can be combined to increase security, which is known as multifactor authentication. Systems commonly utilize authentication as part of their access control with the objective of protecting the information stored within them. However, the decision of what authentication technique to implement in a system is often taken by the software development team in charge of it. A poor decision during this step could lead to a fatal mistake in relation to security, creating the necessity for a method that systematizes this task. Thus, this book chapter presents a theoretical decision framework that tackles this issue by providing guidelines based on the evaluated application ’ s characteristics and target context. These guidelines were defined through the application of an extensive action-research methodology in collaboration with experts from a multinational software development company.


Introduction
Generally, to protect the personal information of users in software applications, distinct authentication techniques are utilized to prevent intruders from accessing to it. Authentication is, thus, the process of verifying the identity of a user as part of a system's access control to protect the information stored within them [1]. Various authentication techniques have been proposed in literature, such as text passwords [2,3], smart cards [4,5], and biometrics [6][7][8]. All of the mentioned techniques belong to distinct authentication factors. An authentication factor is a piece of information that can be used to verify the identity of a user [9]. There are three main groups or factors of authentication techniques [10,11]: (i) knowledge-based, that is, based on something that the user knows, such as text passwords; (ii) possession-based, that is, based on something that the user possesses, such as smart cards; and (iii) inherence-based, that is, something that the user is, such as biometrics. Two or more of these techniques can be combined to increase security, which is known as multifactor authentication [1].
In this book chapter, to differentiate between single-factor and multifactor authentication techniques, the former will be referred to as authentication schemes, whereas the latter will be referred to as multifactor authentication methods.
Nowadays, the decision of what authentication scheme or method to implement in a software application resides within the software development team. However, the experience of the involved developers can vary from team to team, which could affect in the decision of what authentication technique to implement. Due to the importance of security [12], selecting the wrong authentication technique could potentially be a fatal mistake [13].
The above statement creates the necessity of a method that systematizes the task of comparing and selecting the authentication schemes and methods. A few frameworks in literature partially help to achieve this [14,15]; however, they do not present the adequate characteristics for their application in distinct application contexts or do not consider all authentication techniques or multifactor authentication. Thus, this book chapter presents a decision framework that covers the observed gap. This framework has been generated through the application of an action-research methodology [16]. This action-research has been performed in collaboration with a multinational software development company and contemplates the utilization of other research methodologies that support it.
The remainder of this book chapter is organized as follows. The methodology utilized for the research is presented in Section 2. Section 3 is focused on obtaining of the knowledge base utilized for the research. In Section 4, the generated decision framework is presented. Section 5 consists on the validation of the framework. Finally, the conclusions and future work of the research are given in Section 6.

Methodology
The realization of this research is within the scope of an action-research methodology that was carried for over a year in collaboration with a software development company. The objective of action-research is to provide a benefit for the research's "client" while also generating relevant "research knowledge" [16,17]. This kind of collaboration allows to study complex social processes, such as the use of information technologies in organizations, by introducing changes in them and observing their effects [18].
There are four roles involved in action-research [19]. These roles are as follows: • The researcher(s) who undertake(s) the action-research. In this case, the researchers are the book chapter's authors.
• The studied object, that is, the problem to solve. In this case, the studied object is the comparison and selection of authentication schemes and methods.
• The critical group of reference that has a problem that needs to be solved and also participates in the research process. In this case, the critical group of reference is composed by the employees of the partnered software development company (PSDC).
• The beneficiary who can receive benefits from the research results, without directly participating in its process. In this case, the main beneficiary is the PSDC, but other software developers can also benefit from this research.
During the realization of this action-research, multiple activities were performed in conjunction with the PSDC. These activities helped to generate and validate the proposed decision framework for solving the need of automatizing the comparison and selection of authentication techniques. These activities were performed utilizing the iterative process of action-research, which considers, for every cycle, the following four phases [20]: (i) the planning phase, which considers the elaboration of a research question to be answered through the iteration; (ii) the action phase, where distinct research methodologies are applied to address the posed research question; (iii) the observation phase, where the results of the interventions from the previous phase are processed; and (iv) the reflection phase, where the researchers shares their finding with the group of reference to generate feedback; it is also possible to transversely perform this phase instead of cyclically [19], as it was done in this action-research through the realization of weekly progress meetings.
In this work, the action-research methodology was applied through three cycles. The objective of the first cycle was to obtain the required knowledge base for creating the framework. To achieve this, two strategies were applied: first, a systematic literature review (SLR) [21] was performed to obtain the existing knowledge in literature, and secondly, a number of surveys and interviews [16,22] were conducted to learn the perceptions of the industry through the PSDC's employees. The second cycle was centered on the creation of the decision framework. During this cycle, an expert panel [23] was held to validate the initial draft of the framework. Finally, the third cycle focused on validating the final framework through the application of case studies [24].

Identification of the knowledge base
To construct the decision framework, it was necessary to obtain an adequate knowledge base regarding the topic at hand. To achieve this, two methodologies were applied. The first was the realization of a systematic literature review to identify the existing knowledge in related academic publications. The second corresponds to the application of a survey and interviews (S&I) to employees of the PSDC to learn the perceptions of the industry. The combined usage of these methods allowed the procurement of a knowledge base useful both for the academic and industrial sectors.

Systematic literature review
A systematic literature review has been carried out with the objective of "identifying authentication schemes proposed in literature and their possible combinations for their use as multifactor authentication methods, while also detecting criteria used for their comparison and selection and the existence of frameworks that handle such a task." Based on this objective, the following four research questions were formulated: 1. Which are the main authentication schemes that exist in the literature?
2. What combinations of these schemes can be found that can be used as multifactor authentication methods?
3. What criteria can be used to compare and/or to select between authentication schemes and/or multifactor authentication methods?
4. Are there frameworks that help to compare and/or to select authentication schemes or multifactor authentication methods? What are their characteristics?
The planning and results of the SLR have already been published in literature [25]. Additionally, a list containing the publications accepted during the SLR can be found in http://colvin.chillan.ubiobio.cl/mcaro/. Next, a brief summary of the main results of the SLR for every research question is presented.

Authentication schemes
A total of 515 publications regarding the proposal of authentication schemes were found. Their distribution among the authentication factors is as shown in Figure 1. Additionally, the context for which these schemes were proposed was recorded as well; this is presented in Table 1, including the publication's origin (journal article, conference article, or book chapter). It is important to mention that only 233 of the publications indicated a context.

Multifactor authentication methods
Four hundred forty-two publications proposing the combination of two or more authentication schemes in a multifactor manner were identified. Their distribution among the distinct authentication factor combinations is as shown in Figure 2.
Similarly to the previous research question, the context for which these methods were proposed was recorded as well; this is presented in Table 2, including the publication's origin (journal article, conference article, or book chapter). In this case, 272 of the publications did indicate a context.

Comparison and selection criteria
Only 17 publications presented criteria for the comparison and selection of authentication schemes and methods. The presented criteria in the distinct publications can be categorized based on the kind of criteria proposed. Every publication  considered one or more criteria categories; however, only three of them could be identified in more than one publication. The most identified categories of criteria are usability, security, and costs. The first two were identified in nine publications each, whereas the latter was found in five publications. Moreover, it could be observed that most of these articles highly considered the importance of the use context for comparing and selecting schemes and methods. This was mainly done by the publication addressing specific contexts or considering the context itself as another criterion.

Decision frameworks
Eight decision frameworks that help in the comparison and selection of authentication schemes and methods were identified. Through the analysis of these frameworks, it could be observed that multifactor authentication is not often considered, whereas proposals that do consider it utilize a limited number of criteria. Thus, no decision framework that considered multifactor authentication and enough criteria for a detailed comparison and selection of authentication schemes and methods could be found.

Survey and interviews
A survey and interviews have been applied to the PSDC's employees with the objective of learning the perceptions of people from the industry regarding authentication and the comparison and selection of distinct schemes and methods. The interviews were realized as a pilot application of the survey. A total of 12 employees were interviewed. In addition, 45 valid responses, out of a sample of 83 people ranging from developers to project leads, were received through the survey. Out of the 57 respondents, over two thirds of them held a senior position in the PSDC, as well as having over 6 years of working experience.
Four main questions were posed to the respondents, whose contents can be summarized as follows: Q1. What authentication schemes do you know?
Q2. What multifactor authentication methods do you know?
Q3. What authentication schemes or multifactor authentication methods have you implemented in applications that you have developed?
Q4. What is the importance that you give to distinct factors when deciding what authentication scheme or method should be implemented in an application?
In http://colvin.chillan.ubiobio.cl/mcaro/ it is possible to find the questionnaire used for the survey. A summary of the responses obtained for every question is provided next.

Authentication schemes known by the respondents
For this question, respondents were asked to mark from a list the authentication schemes that they knew. The most known schemes were text passwords, one-time passwords (OTP, tokens), and mobile-based authentication. All respondents answered this question. The complete results of this question can be observed in Table 3, which shows the number of survey respondents and interviewed people that know each authentication scheme.

Multifactor authentication methods known by the respondents
For the second question, respondents were given a brief explanation about multifactor authentication. Afterward, they were asked what multifactor authentication methods they knew. The combination of text passwords and OTP was the most known among them. A total of 27 out of the 45 survey respondents answered this question. The complete results of this question can be observed in Table 4, which shows the number of survey respondents and interviewed people that know each multifactor authentication method.

Authentication schemes and methods implemented by the respondents
Next, the respondents were asked what authentication techniques they had implemented in applications developed by them and the kind of application. Most applications were either web-based or for banking and commerce. A total of 23 out of the 45 survey respondents answered this question. The complete results of this question can be observed in the graphs of Figures 3 and 4, which show the implemented authentication schemes and methods and the contexts of the applications that were being developed, respectively.

Comparison and selection criteria used by the respondents
For the last question of the S&I, distinct strategies were applied between the interviewees and the survey respondents. In the case of the former, they were directly asked what criteria they utilized for the comparison and selection of authentication schemes and methods. In the case of the latter, the responses from the interviewees, coupled with the results of the previously performed SLR, were used to generate a list of comparison and selection criteria that respondents were asked to value from 1 to 5. A higher value meant that the respondent gave a higher importance to the criterion. A total of 29 out of the 45 survey respondents answered this question. The complete results of this question can be observed in Table 5 and  in Table 6, which show the responses given by the interviewees and the survey respondents, respectively.
Finally, survey respondents were asked what other comparison and selection criteria they would consider. The received answers include the ease of authentication information recovery, the registration method, and the sensitivity of the information.

Short survey
A second survey was later applied to nine employees of the PSDC. These employees were selected among the most experienced developers of the company, based on their years of experience and positions. The single aim of this survey was to ascertain the importance that the respondents would assign to an application's security and usability based on the target context. The importance was valued in percentages, with the sum of usability and security being 100% for every context. Table 7 presents the results of this survey.
The obtained values were used afterward as part of the input for the decision framework.

Criterion
Interviewees that consider the criterion

Client's requirements 11
Application context 11 Usability-related criteria 9 Security-related criteria 11 Cost-related criteria 8 Other criteria 2

The framework
This section describes the decision framework constructed through the knowledge base acquired by using the methodologies presented above. It has been given the name of Kontun framework, which means "to enter foreign property" in Mapudungún, an indigenous language from Chile, which is what it aims to prevent. Table 8 shows a summary of the main findings during the knowledge base gathering and their origin (either the SLR or the S&I).
A summary of the constructed framework's characteristics is provided next. A complete description can be found in [26].
First, the framework considers a number of criteria obtained from the knowledge base, divided among the three most observed categories: security, usability, and costs. Each criterion is then given distinct possible importance values and a weight based on the findings from the knowledge base. To illustrate the above  Table 7. Importance given to security and usability in distinct contexts by the respondents.  criterion, Table 9 shows the usability-related criteria, their importance values, and their weights. Every criterion has two or more importance values between 20 and 100, and the sum of all the weights of the criteria belonging to the same category is 100%. In this manner, when using the framework, a person must select the importance values that best describe their application and then calculate the average values of security (S), usability (U), and costs (C) using the following equations: The framework also considers a number of common contexts identified through the knowledge base. These contexts were given distinct weights based on the importance of security and usability in the context itself. Here, a term known as the security/usability value (SUV) is presented. The knowledge base allowed to ascertain the fact that, generally, the more secure an authentication scheme or method is, it has a lower usability and vice-versa. The SUV is used to denotate this. Based on the calculated average values of S, U, and C, coupled with the selected application context (Ct), the SUV is calculated as follows: A and B are constants defined based on the importance given to S and U, respectively, in the selected context. A high SUV value thus indicates that more Criterion Importance Value Weight

Ease of use
The method necessarily needs to be easy to use 100 25% The method preferably needs to be easy to use 60 It is not necessary for the method to be easy to use 20 Ease of learning A user should not take longer than a day to get used 100 25% A user should not take longer than a week to get used 60 The time it takes to get used is not relevant 20

Authentication information recovery
The recovery process should be simple 100 10% The recovery process should be complex 20 Need of using a device  secure authentication methods should be implemented in the application, whereas a low SUV indicates that more usable authentication schemes or methods should be implemented in the application. Having calculated the SUV and also considering the average value given to C, the framework is able to provide a suggestion on what authentication schemes or methods to implement in the evaluated application. The recommendation is as follows: for a SUV of 65 or higher, the framework will suggest the implementation of highly secure authentication methods; for a SUV of 35 or lower, the framework will suggest the implementation of highly usable authentication schemes; and for a SUV between 35 and 65, the framework will suggest the implementation of averagely secure and usable authentication methods. Moreover, for a value of C of 60 and above, the framework will suggest the implementation of more affordable authentication schemes or methods; for a value of C below 60, the framework will suggest the implementation of more expensive authentication schemes or methods. The recommendations are also different based on the target Ct. Thus, for every Ct, the framework will give six possible recommendations based on the calculated SUV and C. Table 10 illustrates the above framework for the context of mobile environment.
Finally, the person utilizing the framework must decide the authentication scheme or method to implement in their application, taking into consideration the recommendations given by the framework.

Tool prototype
To facilitate the use of the framework in software development environments, a tool prototype has been constructed that allows its utilization in a semiautomatic manner. This tool has also supported the validation process of the framework. With the tool prototype, the person in charge only needs to indicate the evaluated application's features and target context through a radio form. Afterward, the tool prototype automatically calculates the values of average S, U, and C and the SUV. The tool prototype is available for download in http://colvin.chillan.ubiobio.cl/mcaro/. The tool prototype has been developed using the model view controller (MVC) design pattern, with the Java programming language and supported by the Spring Framework. PostgreSQL has been used as the database management system.
The main screens of the tool prototype can be observed in Figures 5-7. They show the procedures for the criteria selection, the context selection, and the framework's recommendation, respectively.   The tool prototype also has additional features that facilitate its use in software development companies. Specifically, it has a user registration feature which allows maintaining a registry of its usage and a functionality for adapting its preferences based on the software development company's needs.

Validation through the industry
Through the creation of the framework, its adequacy was repeatedly validated using strategies associated to the application of the action-research methodology. Specifically, the validation was ascertained through the realization of an expert panel and the application of case studies. These are detailed in remainder of this section.

Expert panel
An expert panel was held in collaboration with five experts from the PSDC that consisted of four sessions with the aim of ascertaining their perceptions regarding an initial draft of the framework, so that it was more adequate to the real requirements observed in a software development environment. The activities during every session of the expert panel are described next.

Presentation of the initial draft of the framework
The first session consisted on the presentation of the initial draft of the framework, with the purpose of helping the experts to have a general notion of the aim of this research.

Validation of comparison and selection criteria
The preliminary list of criteria, their categorization, their values, and their weights were presented to the experts for their validation. This allowed to discard the least adequate ones and to generalize those that were too specific for the needs of a software development team.

Validation of the considered contexts
The contexts considered by the framework were presented to the experts. Similarly to the previous session, this allowed to make the appropriate modifications to the currently selected contexts. Additionally, the SUV was presented to the experts, who generally agreed to the adequacy of its use.

Validation of the framework's recommendations
The authentication schemes and methods recommended for every situation were presented to the experts. This allowed to ascertain the adequacy of every recommendation. The experts were generally in agreement with the recommendations.

Case studies
After its construction, the validation of the framework's recommendations was realized through the application of a case study methodology in collaboration with the PSDC. Specifically, the framework's recommendations were compared with the authentication schemes or methods implemented in existing applications developed by the PSDC or with the recommendations that their experts would give for hypothetical situations. The case studies are described in detail in [26]. Next, a brief summary of their application is provided.
The case studies are split in three categories: (i) those that were realized by comparing the framework's recommendation against the implemented scheme or method on an existing application, (ii) those that were realized by comparing the framework's recommendation against the recommendations given by experts for hypothetical applications, and (iii) those that were realized by comparing the framework's recommendation against the implemented scheme or method on an existing application and also against the recommendation given by experts for hypothetical applications with nearly the same features as the existing ones. These case studies are presented in Tables 11-13, respectively, presenting the implemented scheme or method in the existing application, the framework's recommendation, the most recommended scheme or method by the experts, and the acceptance rate of the framework's recommendation, as appropriate.
In general, the results of the case studies are favorable for the framework. It is important to mention that, where discrepancies are observed, there was often a reasoning behind them. For example, for case study 3 (existing application), the implemented scheme was demanded by the client and not selected by the software development team.
Case studies based on existing applications.

Experts' recommendation
Framework's recommendation Acceptance rate of framework's recommendation 6 Two-factor authentication Text passwords Text passwords 100% 7 Text passwords Two-factor authentication Two-factor authentication 90% Table 13. Case studies based on existing applications with a hypothetical counterpart.

ID Experts' recommendation
Framework's recommendation Acceptance rate of framework's recommendation 4 Two-or three-factor authentication Three-factor authentication 100% 5 Text passwords Two-factor authentication 80% Table 12.
Case studies based on hypothetical applications.

Conclusions
The research presented in this book chapter summarizes the definition of a theoretical framework. This framework will help in the comparison and selection of the most appropriate authentication schemes or multifactor authentication methods for applications created by software developers. It has been created through the application of an action-research methodology that considered the utilization of various other research methodologies that helped to contribute in distinct ways to the research objective.
On the one hand, a systematic literature review, coupled with surveys and interviews, was performed to obtain the required knowledge base for generating the framework. The utilization of these two methodologies allowed to ascertain the perceptions on authentication from both the academy and the industry.
On the other hand, an expert panel and several case studies were realized to validate the adequacy of the framework. This permitted to obtain feedback from the end users of the framework so that it would provide adequate authentication scheme or method recommendations and have an appropriate usability.
Thus, this experience allowed to observe the usefulness of performing a research in collaboration with the industry, as it permits obtaining results that align more adequately with their needs while also providing more refined academic results.
Several future work lines can be followed based on this research. Namely, the framework could be adapted to work as a recommendation system so that its recommendations get refined through its usage. For the industry, it would be of interest that the framework not only recommends an authentication technique but that it also provides the required code for its implementation. Finally, the last cycle of the action-research, that is, the realization of case studies, could be replicated in other software development companies to further validate the adequacy of the framework.