**Table 9.**

**4. The framework**

Most reported knowledge-based

Most reported possession-based

Most reported inherence-based

Most observed application

Comparison and selection

*Summary of the acquired knowledge base.*

schemes

schemes

schemes

contexts

criteria

**Table 8.**

**96**

**Table 7.**

cloud computing

*Computer and Network Security*

ing and their origin (either the SLR or the S&I).

**Context Importance of**

*Importance given to security and usability in distinct contexts by the respondents.*

Remote authentication, multi-server environment,

Mobile environment 45.56 54.44

Healthcare/telecare 57.78 42.22 Wireless sensor networks 63.33 36.67 Banking and commerce 73.33 26.67 Web applications 28.89 71.11

A complete description can be found in [26].

This section describes the decision framework constructed through the knowledge base acquired by using the methodologies presented above. It has been given the name of Kontun framework, which means "to enter foreign property" in Mapudungún, an indigenous language from Chile, which is what it aims to prevent. **Table 8** shows a summary of the main findings during the knowledge base gather-

**security (%)**

64.44 35.56

**Importance of usability (%)**

A summary of the constructed framework's characteristics is provided next.

First, the framework considers a number of criteria obtained from the knowledge base, divided among the three most observed categories: security, usability, and costs. Each criterion is then given distinct possible importance values and a weight based on the findings from the knowledge base. To illustrate the above

Multifactor authentication • Prevalence of the combination of knowledge- and possession-based authentication

• Criteria are mainly related to usability, security, and costs (SLR) • Identified criteria are valued positively by the industry (S&I) • High importance observed regarding application context (SLR, S&I)

• Text passwords (SLR, S&I) • Graphical passwords (SLR)

• Face biometrics (SLR, S&I) • Behavioral biometrics (SLR) • Palm print (SLR) • Fingerprints (SLR, S&I) • Vein biometrics (SLR) • Iris biometrics (SLR, S&I)

schemes (SLR, S&I)

• Mobile environment (SLR) • Remote authentication (SLR) • Multi-server environment (SLR) • Cloud computing (SLR) • Healthcare/telecare (SLR) • Wireless sensor networks (SLR) • Banking and commerce (S&I) • Web applications (S&I)

• Smart cards (SLR) • OTP (S&I) • Mobile-based (S&I) secure authentication methods should be implemented in the application, whereas a low SUV indicates that more usable authentication schemes or methods should be implemented in the application.

The tool prototype has been developed using the model view controller (MVC) design pattern, with the Java programming language and supported by the Spring Framework. PostgreSQL has been used as the database management system. The main screens of the tool prototype can be observed in **Figures 5–7**. They show the procedures for the criteria selection, the context selection, and the

*Multifactor Authentication Methods: A Framework for Their Comparison and Selection*

framework's recommendation, respectively.

*DOI: http://dx.doi.org/10.5772/intechopen.89876*

**Figure 5.**

**Figure 7.**

**99**

**Figure 6.**

*Framework's recommendation in the tool prototype.*

*Criteria selection in the tool prototype.*

*Context selection in the tool prototype.*

Having calculated the SUV and also considering the average value given to C, the framework is able to provide a suggestion on what authentication schemes or methods to implement in the evaluated application. The recommendation is as follows: for a SUV of 65 or higher, the framework will suggest the implementation of highly secure authentication methods; for a SUV of 35 or lower, the framework will suggest the implementation of highly usable authentication schemes; and for a SUV between 35 and 65, the framework will suggest the implementation of averagely secure and usable authentication methods. Moreover, for a value of C of 60 and above, the framework will suggest the implementation of more affordable authentication schemes or methods; for a value of C below 60, the framework will suggest the implementation of more expensive authentication schemes or methods. The recommendations are also different based on the target Ct. Thus, for every Ct, the framework will give six possible recommendations based on the calculated SUV and C. **Table 10** illustrates the above framework for the context of mobile environment.

Finally, the person utilizing the framework must decide the authentication scheme or method to implement in their application, taking into consideration the recommendations given by the framework.

#### **4.1 Tool prototype**

To facilitate the use of the framework in software development environments, a tool prototype has been constructed that allows its utilization in a semiautomatic manner. This tool has also supported the validation process of the framework. With the tool prototype, the person in charge only needs to indicate the evaluated application's features and target context through a radio form. Afterward, the tool prototype automatically calculates the values of average S, U, and C and the SUV. The tool prototype is available for download in http://colvin.chillan.ubiobio.cl/mcaro/.


#### **Table 10.**

*Recommendation given by the framework for the context of mobile environment.*

*Multifactor Authentication Methods: A Framework for Their Comparison and Selection DOI: http://dx.doi.org/10.5772/intechopen.89876*

The tool prototype has been developed using the model view controller (MVC) design pattern, with the Java programming language and supported by the Spring Framework. PostgreSQL has been used as the database management system.

The main screens of the tool prototype can be observed in **Figures 5–7**. They show the procedures for the criteria selection, the context selection, and the framework's recommendation, respectively.


#### **Figure 5.**

secure authentication methods should be implemented in the application, whereas a low SUV indicates that more usable authentication schemes or methods should be

Having calculated the SUV and also considering the average value given to C, the

framework is able to provide a suggestion on what authentication schemes or methods to implement in the evaluated application. The recommendation is as follows: for a SUV of 65 or higher, the framework will suggest the implementation of highly secure authentication methods; for a SUV of 35 or lower, the framework will suggest the implementation of highly usable authentication schemes; and for a SUV between 35 and 65, the framework will suggest the implementation of averagely secure and usable authentication methods. Moreover, for a value of C of 60 and above, the framework will suggest the implementation of more affordable authentication schemes or methods; for a value of C below 60, the framework will suggest the implementation of more expensive authentication schemes or methods. The recommendations are also different based on the target Ct. Thus, for every Ct, the framework will give six possible recommendations based on the calculated SUV and C. **Table 10** illustrates the above framework for the context of mobile

Finally, the person utilizing the framework must decide the authentication scheme or method to implement in their application, taking into consideration the

To facilitate the use of the framework in software development environments, a tool prototype has been constructed that allows its utilization in a semiautomatic manner. This tool has also supported the validation process of the framework. With the tool prototype, the person in charge only needs to indicate the evaluated application's features and target context through a radio form. Afterward, the tool prototype automatically calculates the values of average S, U, and C and the SUV. The tool prototype is available for download in http://colvin.chillan.ubiobio.cl/mcaro/.

Graphical passwords + smart cards + behavioral biometrics

Text passwords + smart cards + behavioral biometrics Text passwords + smart cards + face biometrics

Text passwords + OTP + behavioral biometrics Graphical passwords + OTP + behavioral biometrics Graphical passwords + OTP + face biometrics

Graphical passwords + behavioral biometrics

Text passwords + palm print/fingerprints

Text passwords + behavioral biometrics Text passwords + smart cards

OTP + behavioral biometrics

Graphical passwords + OTP

Behavioral biometrics Graphical passwords Face biometrics Palm print/fingerprints

Behavioral biometrics Text passwords Graphical passwords

*Recommendation given by the framework for the context of mobile environment.*

implemented in the application.

*Computer and Network Security*

recommendations given by the framework.

environment.

*SUV* 65 *C<*60

*SUV* 65 *C* 60

35 *< SUV <* 65 *C<*60

35 *< SUV <* 65 *C* 60

*SUV* 35 *C<*60

*SUV* 35 *C* 60

**Table 10.**

**98**

**4.1 Tool prototype**

*Criteria selection in the tool prototype.*


#### **Figure 6.**

*Context selection in the tool prototype.*


#### **Figure 7.**

*Framework's recommendation in the tool prototype.*

The tool prototype also has additional features that facilitate its use in software development companies. Specifically, it has a user registration feature which allows maintaining a registry of its usage and a functionality for adapting its preferences based on the software development company's needs.

the PSDC. Specifically, the framework's recommendations were compared with the authentication schemes or methods implemented in existing applications developed by the PSDC or with the recommendations that their experts would give for hypothetical situations. The case studies are described in detail in [26]. Next, a brief

*Multifactor Authentication Methods: A Framework for Their Comparison and Selection*

The case studies are split in three categories: (i) those that were realized by comparing the framework's recommendation against the implemented scheme or method on an existing application, (ii) those that were realized by comparing the framework's recommendation against the recommendations given by experts for hypothetical applications, and (iii) those that were realized by comparing the framework's recommendation against the implemented scheme or method on an existing application and also against the recommendation given by experts for hypothetical applications with nearly the same features as the existing ones. These

implemented scheme or method in the existing application, the framework's recommendation, the most recommended scheme or method by the experts, and the

In general, the results of the case studies are favorable for the framework. It is important to mention that, where discrepancies are observed, there was often a reasoning behind them. For example, for case study 3 (existing application), the implemented scheme was demanded by the client and not selected by the software

based)

**recommendation**

Three-factor authentication

authentication

**Framework's recommendation**

Text passwords Text passwords 100%

Two-factor authentication

Three-factor authentication (text passwords + OTP + behavioral biometrics)

Two-factor authentication (text passwords + mobile-

**Acceptance rate of framework's recommendation**

**Acceptance rate of framework's recommendation**

100%

80%

90%

case studies are presented in **Tables 11–13**, respectively, presenting the

acceptance rate of the framework's recommendation, as appropriate.

**ID Implemented scheme or method Framework's recommendation**

3 OTP (demanded by client) Behavioral biometrics

**Experts' recommendation**

authentication

*Case studies based on existing applications with a hypothetical counterpart.*

summary of their application is provided.

*DOI: http://dx.doi.org/10.5772/intechopen.89876*

development team.

**Table 11.**

**Table 12.**

1 Two-factor authentication (text passwords + smart cards)

2 Two-factor authentication (text passwords + mobile-based)

*Case studies based on existing applications.*

4 Two- or three-factor authentication

**ID Experts' recommendation Framework's**

5 Text passwords Two-factor

**ID Implemented scheme or method**

6 Two-factor authentication

**Table 13.**

**101**

7 Text passwords Two-factor

*Case studies based on hypothetical applications.*
