**Abstract**

There are multiple techniques for users to authenticate themselves in software applications, such as text passwords, smart cards, and biometrics. Two or more of these techniques can be combined to increase security, which is known as multifactor authentication. Systems commonly utilize authentication as part of their access control with the objective of protecting the information stored within them. However, the decision of what authentication technique to implement in a system is often taken by the software development team in charge of it. A poor decision during this step could lead to a fatal mistake in relation to security, creating the necessity for a method that systematizes this task. Thus, this book chapter presents a theoretical decision framework that tackles this issue by providing guidelines based on the evaluated application's characteristics and target context. These guidelines were defined through the application of an extensive action-research methodology in collaboration with experts from a multinational software development company.

**Keywords:** security, authentication scheme, multifactor authentication method, action-research, decision framework

#### **1. Introduction**

Generally, to protect the personal information of users in software applications, distinct authentication techniques are utilized to prevent intruders from accessing to it. Authentication is, thus, the process of verifying the identity of a user as part of a system's access control to protect the information stored within them [1]. Various authentication techniques have been proposed in literature, such as text passwords [2, 3], smart cards [4, 5], and biometrics [6–8]. All of the mentioned techniques belong to distinct authentication factors. An authentication factor is a piece of information that can be used to verify the identity of a user [9]. There are three main groups or factors of authentication techniques [10, 11]: (i) knowledge-based, that is, based on something that the user knows, such as text passwords; (ii) possession-based, that is, based on something that the user possesses, such as smart cards; and (iii) inherence-based, that is, something that the user is, such as biometrics. Two or more of these techniques can be combined to increase security, which is known as multifactor authentication [1].

**86**

*Computer and Network Security*

[2] Mazurczyk W, Szaga P, Szczypiorski K. Retransmission Steganography and Its Detection. Available from: http://cygnus.tele. pw.edu.pl/~wmazurczyk/art/RSTEG.

viewArticle/528/449

offset-ip-fields-124683

pdf/1111.1250v1.pdf

html/rfc4960

[5] Mazurczyk W, Szaga P,

[3] Rowland CH. Covert channels in the TCP/IP protocol suite. Central European Journal of Computer Science. 1997;**2**(5):45-66. Available from: http://firstmonday.org/htbin/ cgiwrap/bin/ojs/index.php/fm/article/

[4] Cauich E, Gómez R, Watanabe R. Data Hiding in Identification and Offset IP fields. California University at Irwing, Computer Science and Engineering. Irvine, CA, USA: University of

California. http://www.sciweavers.org/ read/data-hiding-in-identification-and-

Szczypiorski K. Using Transcoding for Hidden Communication in IP Telephony. Warsaw University of Technology, Institute of Telecommunications; 2011. Available from: http://arxiv.org/

[6] Stewart R. ed. Stream Control Transmission Protocol. – RFC 4960:6. Request for Comments: 4960, 2007. Available from: http://tools.ietf.org/

[7] Frączek W, Mazurczyk W, Szczypiorski K. Stream Control Transmission Protocol Steganography. Warsaw University of Technology, Institute of Telecommunications;

pdf

[1] Mazurczyk W, Szczypiorski K. In: Meersman R, Tari Z, editors. Steganography of VoIP Streams. Springer-Verlag; 2009. Available from: http://home.elka.pw.edu.pl/~wmazurcz/ moja/art/OTM\_StegVoIP\_2008.pdf

2010. Available from: http://arxiv.org/

abs/1006.0247

Switzerland, 1992

[8] ISO9646. Open System Interconnection, Conformance Testing Methodology and Framework.

In this book chapter, to differentiate between single-factor and multifactor authentication techniques, the former will be referred to as **authentication schemes**, whereas the latter will be referred to as **multifactor authentication methods**.

During the realization of this action-research, multiple activities were performed in conjunction with the PSDC. These activities helped to generate and validate the proposed decision framework for solving the need of automatizing the comparison and selection of authentication techniques. These activities were performed utilizing the iterative process of action-research, which considers, for every cycle, the following four phases [20]: (i) the planning phase, which considers the elaboration of a research question to be answered through the iteration; (ii) the action phase, where distinct research methodologies are applied to address the posed research question; (iii) the observation phase, where the results of the interventions from the previous phase are processed; and (iv) the reflection phase, where the researchers shares their finding with the group of reference to generate feedback; it is also possible to transversely perform this phase instead of cyclically [19], as it was done in this action-research through the realization of weekly pro-

*Multifactor Authentication Methods: A Framework for Their Comparison and Selection*

*DOI: http://dx.doi.org/10.5772/intechopen.89876*

In this work, the action-research methodology was applied through three cycles.

To construct the decision framework, it was necessary to obtain an adequate knowledge base regarding the topic at hand. To achieve this, two methodologies were applied. The first was the realization of a systematic literature review to identify the existing knowledge in related academic publications. The second corresponds to the application of a survey and interviews (S&I) to employees of the PSDC to learn the perceptions of the industry. The combined usage of these

methods allowed the procurement of a knowledge base useful both for the academic

A systematic literature review has been carried out with the objective of "identifying authentication schemes proposed in literature and their possible combinations for their use as multifactor authentication methods, while also detecting criteria used for their comparison and selection and the existence of frameworks that handle such a task." Based on this objective, the following four research ques-

1.Which are the main authentication schemes that exist in the literature?

2.What combinations of these schemes can be found that can be used as

3.What criteria can be used to compare and/or to select between authentication

The objective of the first cycle was to obtain the required knowledge base for creating the framework. To achieve this, two strategies were applied: first, a systematic literature review (SLR) [21] was performed to obtain the existing knowledge in literature, and secondly, a number of surveys and interviews [16, 22] were conducted to learn the perceptions of the industry through the PSDC's employees. The second cycle was centered on the creation of the decision framework. During this cycle, an expert panel [23] was held to validate the initial draft of the framework. Finally, the third cycle focused on validating the final framework through the

gress meetings.

application of case studies [24].

and industrial sectors.

tions were formulated:

**89**

**3.1 Systematic literature review**

multifactor authentication methods?

schemes and/or multifactor authentication methods?

**3. Identification of the knowledge base**

Nowadays, the decision of what authentication scheme or method to implement in a software application resides within the software development team. However, the experience of the involved developers can vary from team to team, which could affect in the decision of what authentication technique to implement. Due to the importance of security [12], selecting the wrong authentication technique could potentially be a fatal mistake [13].

The above statement creates the necessity of a method that systematizes the task of comparing and selecting the authentication schemes and methods. A few frameworks in literature partially help to achieve this [14, 15]; however, they do not present the adequate characteristics for their application in distinct application contexts or do not consider all authentication techniques or multifactor authentication. Thus, this book chapter presents a decision framework that covers the observed gap. This framework has been generated through the application of an action-research methodology [16]. This action-research has been performed in collaboration with a multinational software development company and contemplates the utilization of other research methodologies that support it.

The remainder of this book chapter is organized as follows. The methodology utilized for the research is presented in Section 2. Section 3 is focused on obtaining of the knowledge base utilized for the research. In Section 4, the generated decision framework is presented. Section 5 consists on the validation of the framework. Finally, the conclusions and future work of the research are given in Section 6.

#### **2. Methodology**

The realization of this research is within the scope of an action-research methodology that was carried for over a year in collaboration with a software development company. The objective of action-research is to provide a benefit for the research's "client" while also generating relevant "research knowledge" [16, 17]. This kind of collaboration allows to study complex social processes, such as the use of information technologies in organizations, by introducing changes in them and observing their effects [18].

There are four roles involved in action-research [19]. These roles are as follows:


*Multifactor Authentication Methods: A Framework for Their Comparison and Selection DOI: http://dx.doi.org/10.5772/intechopen.89876*

During the realization of this action-research, multiple activities were performed in conjunction with the PSDC. These activities helped to generate and validate the proposed decision framework for solving the need of automatizing the comparison and selection of authentication techniques. These activities were performed utilizing the iterative process of action-research, which considers, for every cycle, the following four phases [20]: (i) the planning phase, which considers the elaboration of a research question to be answered through the iteration; (ii) the action phase, where distinct research methodologies are applied to address the posed research question; (iii) the observation phase, where the results of the interventions from the previous phase are processed; and (iv) the reflection phase, where the researchers shares their finding with the group of reference to generate feedback; it is also possible to transversely perform this phase instead of cyclically [19], as it was done in this action-research through the realization of weekly progress meetings.

In this work, the action-research methodology was applied through three cycles. The objective of the first cycle was to obtain the required knowledge base for creating the framework. To achieve this, two strategies were applied: first, a systematic literature review (SLR) [21] was performed to obtain the existing knowledge in literature, and secondly, a number of surveys and interviews [16, 22] were conducted to learn the perceptions of the industry through the PSDC's employees. The second cycle was centered on the creation of the decision framework. During this cycle, an expert panel [23] was held to validate the initial draft of the framework. Finally, the third cycle focused on validating the final framework through the application of case studies [24].

#### **3. Identification of the knowledge base**

To construct the decision framework, it was necessary to obtain an adequate knowledge base regarding the topic at hand. To achieve this, two methodologies were applied. The first was the realization of a systematic literature review to identify the existing knowledge in related academic publications. The second corresponds to the application of a survey and interviews (S&I) to employees of the PSDC to learn the perceptions of the industry. The combined usage of these methods allowed the procurement of a knowledge base useful both for the academic and industrial sectors.

#### **3.1 Systematic literature review**

A systematic literature review has been carried out with the objective of "identifying authentication schemes proposed in literature and their possible combinations for their use as multifactor authentication methods, while also detecting criteria used for their comparison and selection and the existence of frameworks that handle such a task." Based on this objective, the following four research questions were formulated:


In this book chapter, to differentiate between single-factor and multifactor authentication techniques, the former will be referred to as **authentication schemes**, whereas the latter will be referred to as **multifactor authentication**

Nowadays, the decision of what authentication scheme or method to implement in a software application resides within the software development team. However, the experience of the involved developers can vary from team to team, which could affect in the decision of what authentication technique to implement. Due to the importance of security [12], selecting the wrong authentication technique could

The above statement creates the necessity of a method that systematizes the task of comparing and selecting the authentication schemes and methods. A few frameworks in literature partially help to achieve this [14, 15]; however, they do not present the adequate characteristics for their application in distinct application contexts or do not consider all authentication techniques or multifactor authentica-

The remainder of this book chapter is organized as follows. The methodology utilized for the research is presented in Section 2. Section 3 is focused on obtaining of the knowledge base utilized for the research. In Section 4, the generated decision framework is presented. Section 5 consists on the validation of the framework. Finally, the conclusions and future work of the research are given in Section 6.

The realization of this research is within the scope of an action-research methodology that was carried for over a year in collaboration with a software development company. The objective of action-research is to provide a benefit for the research's "client" while also generating relevant "research knowledge" [16, 17]. This kind of collaboration allows to study complex social processes, such as the use of information technologies in organizations, by introducing changes in them and

There are four roles involved in action-research [19]. These roles are as follows:

• The **researcher(s)** who undertake(s) the action-research. In this case, the

studied object is the comparison and selection of authentication schemes

• The **critical group of reference** that has a problem that needs to be solved and also participates in the research process. In this case, the critical group of reference is composed by the employees of the partnered software

• The **beneficiary** who can receive benefits from the research results, without directly participating in its process. In this case, the main beneficiary is the PSDC, but other software developers can also benefit from this research.

• The **studied object**, that is, the problem to solve. In this case, the

tion. Thus, this book chapter presents a decision framework that covers the observed gap. This framework has been generated through the application of an action-research methodology [16]. This action-research has been performed in collaboration with a multinational software development company and contemplates

the utilization of other research methodologies that support it.

**methods**.

**2. Methodology**

observing their effects [18].

and methods.

**88**

researchers are the book chapter's authors.

development company (PSDC).

potentially be a fatal mistake [13].

*Computer and Network Security*

4.Are there frameworks that help to compare and/or to select authentication schemes or multifactor authentication methods? What are their characteristics?

*3.1.2 Multifactor authentication methods*

*DOI: http://dx.doi.org/10.5772/intechopen.89876*

*3.1.3 Comparison and selection criteria*

**Figure 2.**

**Table 2.**

**91**

case, 272 of the publications did indicate a context.

*Publications proposing authentication methods for every factor combination.*

*Number of publications proposing authentication methods for every context.*

Four hundred forty-two publications proposing the combination of two or more authentication schemes in a multifactor manner were identified. Their distribution among the distinct authentication factor combinations is as shown in **Figure 2**. Similarly to the previous research question, the context for which these methods were proposed was recorded as well; this is presented in **Table 2**, including the publication's origin (journal article, conference article, or book chapter). In this

*Multifactor Authentication Methods: A Framework for Their Comparison and Selection*

Only 17 publications presented criteria for the comparison and selection of authentication schemes and methods. The presented criteria in the distinct publications can be categorized based on the kind of criteria proposed. Every publication

**Context Journal Conference Book Total** Remote authentication 52 12 0 64 Healthcare/telecare 45 3 0 48 Wireless sensor networks 29 4 0 33 Multi-server environment 22 7 0 29 Mobile environment 10 11 0 21 Cloud computing 12 5 0 17 Banking and commerce 6 5 0 11 Web applications 5 6 0 11 Wireless networks 6 2 0 8 USB devices 1 5 0 6 Insecure environment 3 2 0 5 Other contexts 15 3 1 19 Total 206 65 1 272

The planning and results of the SLR have already been published in literature [25]. Additionally, a list containing the publications accepted during the SLR can be found in http://colvin.chillan.ubiobio.cl/mcaro/. Next, a brief summary of the main results of the SLR for every research question is presented.
