Navigating Modern Authentication: A Comparative Analysis of TOTP, OAuth2, SAML, and Emerging Protocols

This post is going to be a bit technical but I will keep it on reasonably high level so please stay with me for a moment. It will provide an overview of multi factor authentication which everyone whose job even borderline with technology should be familiar with.

Organisations must implement multi-factor authentication to comply with Cyber Essentials, PCI DSS, NIST 800-171, and countless best practices related to GDPR, ISO27001, and HIPAA. Financial institutions’ regulatory requirements consider the Multi-Factor authentication approach. Relying solely on passwords is not wise in the current risk environment.

Using passwords is considered so insecure that modern techniques involve even passwordless authentication.

Two-factor authentication (2FA) adds an extra layer of security, and understanding the nuances of different 2FA methods is crucial for implementing the most effective security measures. In this article, I am trying to dive into various multi-factor authentication approaches, comparing their features, use cases, and security implications.

This article is a starting point if you are making a decision about implementing strong authentication into the application you want to build or if you’re going to review available options.

Understanding Two-Factor Authentication (2FA)

Two-factor authentication enhances security by requiring users to provide two different authentication factors before granting access:

1. Something you know: A password or PIN.

2. Something you have: A physical device like a smartphone or hardware token.

3. Something you are: Biometric data such as fingerprints or facial recognition.

Implementing 2FA reduces the risk of unauthorised access, even if one factor is compromised.

Technics utilised by 2FA involve:

1. Time-Based One-Time Passwords (TOTP)
2. AOuth2 with OpenID Connect
3. Security Assertion Markup Language (SAML)
4. FIDO2/WebAuthn

Time-Based One-Time Password (TOTP)

TOTP is a two-factor authentication method that generates a temporary passcode based on the current time. Applications like Google or Microsoft Authenticator use it, and it is widely adopted for securing logins.

1. A shared secret key is generated and stored on the server and the user’s device.
2. The device generates a time-sensitive, one-time password that the user inputs and their usual login credentials.
3. The server verifies the code, granting access if correct.

It offers several benefits, which make it the easiest solution to be implemented. Some notable advantages are:

• Low-cost and easy to implement - It’s simple to deploy across various applications.
• Offline functionality - codes are generated without needing an active internet connection.

However - the above benefits came at a cost:

• Dependent on devices - if users lose their device (phone), recovery can be cumbersome.
• It is not scalable for Single Sign-On (SSO). It cannot be used as a universal authentication method, and TOTP doesn’t support advanced identity federation needs.

What is the best use case? It is ideal for businesses looking for quick and effective two-factor authentication for logins, especially for internal systems or as a second layer for customer-facing applications.

OAuth2 (With OpenID Connect)

It allows users to have a single set of credentials and use those credentials to access many different services - this is why it is called Single sign-on.

OAuth2 is widely used for this delegated access, allowing users to securely access resources on behalf of another user without exposing their credentials. When extended with OpenID Connect (OIDC), OAuth2 also handles authentication.

1. The user logs into an identity provider (like Google or Facebook).
2. OAuth2 issues tokens that allow third-party applications to access user data or verify identity.
3. These tokens are time-limited and can be refreshed, enabling fine-grained access control.

It carries a higher degree of complexity; however, it offers several new benefits:

• OAuth2 provides single sign-on (SSO) across multiple apps with minimal user friction, resulting in a comfortable and convenient experience. Token scopes limit the data shared between applications, improving security by not exposing actual credentials to third parties.
• Suitable for web, mobile, and cloud-based environments.

And again - those benefits come at some trade-of:

• OAuth2’s various grant types and flows can make it challenging to set up correctly.
• If tokens are improperly stored or transmitted, they can be stolen, leading to unauthorised access and exposing organisations to security risks if misconfigured.

When to use it? It is excellent for businesses providing cloud-based services or mobile apps, primarily when users must authenticate across different applications using a single set of credentials. Cloud service providers may offer it for the benefit of their customers.

Security Assertion Markup Language (SAML)

SAML is an XML-based protocol primarily used to enable single sign-on (SSO), allowing users to log in once and access multiple systems within an organisation.

1. The user requests access to a service.
2. The service provider redirects the user to an Identity Provider (IdP) for authentication, such as Google, Office365, or others.
3. The IdP verifies the user’s credentials and sends a SAML assertion back to the service provider, granting access.

SAML is a well-established, secure protocol with extensive documentation and support that is widely adopted across large organisations to link internal systems.

Those benefits come at an additional cost

• Implementing SAML requires deep technical expertise and is resource-intensive.
• While great for web-based systems, SAML doesn’t work as well in mobile environments compared to OAuth2.

This is best for large enterprises that need SSO capabilities across multiple internal systems or platforms, especially in traditional IT environments.

FIDO2/WebAuthn

FIDO2 and WebAuthn are the latest standards in passwordless authentication, using cryptographic keys for authentication instead of passwords or codes. Users authenticate using biometrics (like fingerprint or facial recognition) or physical security keys.

1. The user registers a device with the service by generating a public/private key pair.
2. During authentication, the user’s device proves ownership of the private key via biometrics or a security key without exposing it to the server.

The main benefits of this solution include the following:

• Eliminates the need for passwords entirely, reducing phishing risks - passwordless authentication.
• High security: Resistant to phishing and man-in-the-middle attacks thanks to cryptographic security.
• Convenience: User-friendly, especially with biometric login options.

However, the potential costs of these benefits need to be considered:

• Requires hardware keys or devices capable of biometric authentication, which could involve upfront investment.
• While growing, FIDO2/WebAuthn adoption is still in its early stages, requiring user education and a transition from traditional methods.

Best Use Case: Best for organisations looking to enhance security through passwordless login options, especially where phishing is a significant concern or user convenience is paramount.

Key Takeaways for Business Leaders

Assess Your Business Needs:

• If you’re looking for quick security wins for logins, TOTP is simple and effective.
• OAuth2 with OpenID Connect offers a highly scalable and secure solution for cloud services and mobile apps.
• Large enterprises with SSO needs across various internal platforms should look to SAML.
• If you aim for passwordless authentication, especially in high-security or consumer-centric applications, FIDO2 is the future-proof solution.

Consider User Experience:

Security shouldn’t be an obstacle to productivity. Solutions like OAuth2/OIDC and FIDO2 offer seamless user experiences that can improve internal efficiency and customer satisfaction, reducing friction and enhancing security.

Think Long-Term:

Authentication technology is evolving rapidly. While solutions like TOTP are now cost-effective, FIDO2 and OAuth2/OIDC are better suited for the future, offering more robust security and flexibility as your business grows.

Conclusion: Picking the proper authentication for your case

Choosing the right authentication technology is crucial for protecting your organisation from security threats while ensuring ease of use for employees and customers. Whether you need quick two-factor authentication or are planning a shift to passwordless security, the key is aligning your authentication strategy with immediate and long-term business needs.

By understanding the pros and cons of TOTP, OAuth2, SAML, and FIDO2, you can make informed decisions that reduce security risks while empowering users with more efficient, user-friendly authentication methods.