*3.1.2 Multifactor authentication methods*

4.Are there frameworks that help to compare and/or to select authentication

The planning and results of the SLR have already been published in literature [25]. Additionally, a list containing the publications accepted during the SLR can be found in http://colvin.chillan.ubiobio.cl/mcaro/. Next, a brief summary of the main

A total of 515 publications regarding the proposal of authentication schemes were found. Their distribution among the authentication factors is as shown in **Figure 1**. Additionally, the context for which these schemes were proposed was recorded as well; this is presented in **Table 1**, including the publication's origin (journal article, conference article, or book chapter). It is important to mention that

schemes or multifactor authentication methods? What are their

results of the SLR for every research question is presented.

*Number of publications proposing authentication schemes for every authentication factor.*

*Number of publications proposing authentication schemes for every context.*

**Context Journal Conference Book Total** Mobile environment 38 43 0 81 Remote authentication 31 11 0 42 Healthcare/telecare 23 1 0 24 Multi-server environment 15 2 0 17 Continuous authentication 9 2 0 11 Wireless sensor networks 8 2 0 10 Cloud computing 3 4 2 9 Banking and commerce 2 6 0 8 Smart environment 2 5 0 7 Login protocols 5 0 0 5 Web applications 4 1 0 5 Other contexts 7 7 0 14 Total 147 84 2 233

only 233 of the publications indicated a context.

characteristics?

*Computer and Network Security*

*3.1.1 Authentication schemes*

**Figure 1.**

**Table 1.**

**90**

Four hundred forty-two publications proposing the combination of two or more authentication schemes in a multifactor manner were identified. Their distribution among the distinct authentication factor combinations is as shown in **Figure 2**. Similarly to the previous research question, the context for which these methods were proposed was recorded as well; this is presented in **Table 2**, including the publication's origin (journal article, conference article, or book chapter). In this case, 272 of the publications did indicate a context.

### *3.1.3 Comparison and selection criteria*

Only 17 publications presented criteria for the comparison and selection of authentication schemes and methods. The presented criteria in the distinct publications can be categorized based on the kind of criteria proposed. Every publication

#### **Figure 2.**

*Publications proposing authentication methods for every factor combination.*


#### **Table 2.**

*Number of publications proposing authentication methods for every context.*

considered one or more criteria categories; however, only three of them could be identified in more than one publication. The most identified categories of criteria are usability, security, and costs. The first two were identified in nine publications each, whereas the latter was found in five publications.

Moreover, it could be observed that most of these articles highly considered the importance of the use context for comparing and selecting schemes and methods. This was mainly done by the publication addressing specific contexts or considering the context itself as another criterion.

#### *3.1.4 Decision frameworks*

Eight decision frameworks that help in the comparison and selection of authentication schemes and methods were identified. Through the analysis of these frameworks, it could be observed that multifactor authentication is not often considered, whereas proposals that do consider it utilize a limited number of criteria. Thus, no decision framework that considered multifactor authentication and enough criteria for a detailed comparison and selection of authentication schemes and methods could be found.

*3.2.2 Multifactor authentication methods known by the respondents*

*Number of respondents that know each authentication scheme.*

*DOI: http://dx.doi.org/10.5772/intechopen.89876*

each multifactor authentication method.

**Table 3.**

**Table 4.**

**93**

For the second question, respondents were given a brief explanation about multifactor authentication. Afterward, they were asked what multifactor authentication methods they knew. The combination of text passwords and OTP was the most known among them. A total of 27 out of the 45 survey respondents answered this question. The complete results of this question can be observed in **Table 4**, which shows the number of survey respondents and interviewed people that know

**Combination Method Interviewees Survey respondents**

TP + SC 2 8 TP + MB 6 6 Others 0 1 **Total** 15 30

Others 0 3 **Total** 0 18

MB + B 0 3 SC + B 0 3 **Total** 0 12

TP + OTP + B 1 2 Others 0 2 **Total** 1 11

Knowledge + possession TP + OTP 7 15

Knowledge + inherence TP + B 0 15

Possession + inherence OTP + B 0 6

Knowledge + possession + inherence TP + SC + B 0 7

**Grand total** 16 71

*Number of respondents that know each authentication method.*

**Authentication scheme Interviewees Survey respondents**

Text passwords (TP) 10 40 Graphical passwords (GP) 1 20 Cognitive authentication (CA) 0 10 OTP (tokens) 7 38 Smart cards (SC) 3 24 Mobile-based (MB) 8 31 Biometrics (B) 5 30 Federated single sign-on (FSSO) 4 22 Proxy-based (PB) 1 8 Others 0 2

*Multifactor Authentication Methods: A Framework for Their Comparison and Selection*

#### **3.2 Survey and interviews**

A survey and interviews have been applied to the PSDC's employees with the objective of learning the perceptions of people from the industry regarding authentication and the comparison and selection of distinct schemes and methods. The interviews were realized as a pilot application of the survey. A total of 12 employees were interviewed. In addition, 45 valid responses, out of a sample of 83 people ranging from developers to project leads, were received through the survey. Out of the 57 respondents, over two thirds of them held a senior position in the PSDC, as well as having over 6 years of working experience.

Four main questions were posed to the respondents, whose contents can be summarized as follows:


In http://colvin.chillan.ubiobio.cl/mcaro/ it is possible to find the questionnaire used for the survey. A summary of the responses obtained for every question is provided next.

#### *3.2.1 Authentication schemes known by the respondents*

For this question, respondents were asked to mark from a list the authentication schemes that they knew. The most known schemes were text passwords, one-time passwords (OTP, tokens), and mobile-based authentication. All respondents answered this question. The complete results of this question can be observed in **Table 3**, which shows the number of survey respondents and interviewed people that know each authentication scheme.

*Multifactor Authentication Methods: A Framework for Their Comparison and Selection DOI: http://dx.doi.org/10.5772/intechopen.89876*


**Table 3.**

considered one or more criteria categories; however, only three of them could be identified in more than one publication. The most identified categories of criteria are usability, security, and costs. The first two were identified in nine publications

Moreover, it could be observed that most of these articles highly considered the importance of the use context for comparing and selecting schemes and methods. This was mainly done by the publication addressing specific contexts or considering

Eight decision frameworks that help in the comparison and selection of authen-

A survey and interviews have been applied to the PSDC's employees with the objective of learning the perceptions of people from the industry regarding authentication and the comparison and selection of distinct schemes and methods. The interviews were realized as a pilot application of the survey. A total of 12 employees were interviewed. In addition, 45 valid responses, out of a sample of 83 people ranging from developers to project leads, were received through the survey. Out of the 57 respondents, over two thirds of them held a senior position in the PSDC, as

Four main questions were posed to the respondents, whose contents can be

Q3. What authentication schemes or multifactor authentication methods have

Q4. What is the importance that you give to distinct factors when deciding what authentication scheme or method should be implemented in an application?

In http://colvin.chillan.ubiobio.cl/mcaro/ it is possible to find the questionnaire used for the survey. A summary of the responses obtained for every question is

For this question, respondents were asked to mark from a list the authentication schemes that they knew. The most known schemes were text passwords, one-time passwords (OTP, tokens), and mobile-based authentication. All respondents answered this question. The complete results of this question can be observed in **Table 3**, which shows the number of survey respondents and interviewed people

tication schemes and methods were identified. Through the analysis of these frameworks, it could be observed that multifactor authentication is not often considered, whereas proposals that do consider it utilize a limited number of criteria. Thus, no decision framework that considered multifactor authentication and enough criteria for a detailed comparison and selection of authentication schemes

each, whereas the latter was found in five publications.

well as having over 6 years of working experience.

Q1. What authentication schemes do you know?

*3.2.1 Authentication schemes known by the respondents*

that know each authentication scheme.

Q2. What multifactor authentication methods do you know?

you implemented in applications that you have developed?

the context itself as another criterion.

*3.1.4 Decision frameworks*

*Computer and Network Security*

and methods could be found.

**3.2 Survey and interviews**

summarized as follows:

provided next.

**92**

*Number of respondents that know each authentication scheme.*

## *3.2.2 Multifactor authentication methods known by the respondents*

For the second question, respondents were given a brief explanation about multifactor authentication. Afterward, they were asked what multifactor authentication methods they knew. The combination of text passwords and OTP was the most known among them. A total of 27 out of the 45 survey respondents answered this question. The complete results of this question can be observed in **Table 4**, which shows the number of survey respondents and interviewed people that know each multifactor authentication method.


#### **Table 4.**

*Number of respondents that know each authentication method.*
