Know Thy User: The Art of Authentication

It is irrefutable that trust has become a form of digital currency.

Every click, every interaction and transaction, now must be underpinned by a belief that the person on the other side is who they claim to be.

But as technology advances, so too do the threats that erode this trust.

An estimated 5.52 billion people use the internet worldwide, and the average internet user spends almost 7 hours online each day.

While progress fuels opportunity, it also feeds risk, with cyber incidents rising in frequency and severity.

In Q3 of 2024 alone, data breaches exposed more than 422 million records, with the total cost of an incident averaging $4.88 million.

Cybercriminals are exploiting systems as well as the humans behind them, leading us to question not just whether we can build walls high enough to keep attackers out, but whether we can truly know the users within.

This is the art of authentication.

It evolves security beyond the use of simple passwords and grants us the power to verify individuals in a landscape where identity is often misused.

Let's explore the risks that digital users are facing, what authentication is, and why it is an imperative next step for businesses (if done right).

Contents

• 123456 Reasons Passwords Are Failing Us
• Falling Hook, Line, and Sinker for Phishing
• How to Know Who’s Behind the Screen
• Authentication as a Spectrum
• Types of Authentication
• Next-Gen Authentication
• Where Should Authentication Be Used?
• Authentication and Compliance
• Doing Authentication the Right Way

123456 Reasons Passwords Are Failing Us

Digital passwords were introduced in 1961 by MIT professor, Fernando Corbató, when he created a system that allowed multiple users to access a single computer simultaneously.

To ensure each user’s privacy and security, Corbató developed the concept of passwords that would grant access only to authorised users.

60 years later, our society, along with our digital capabilities, has evolved.

While passwords still remain the first line of defence, in many cases they are no longer enough to fully secure devices, accounts, or communications.

• In 2022, over 24 billion passwords were exposed by hackers.
• Stolen, weak, or reused passwords are the cause of 80% of breaches.
• 45% of passwords can be cracked in less than a minute.
• 44% of internet users almost never change or reset their passwords.

Falling Hook, Line, and Sinker for Phishing

Digital security isn’t just about protecting data—but protecting people.

Social engineering attacks add another element of risk, exploiting human psychology and relying on manipulation rather than technical skill to breach defences.

By preying on trust and creating a false sense of urgency or authority, attackers can deceive individuals into sharing sensitive information or granting access to accounts.

These schemes often take the form of phishing emails, fake tech support calls, or fraudulent requests from “trusted” sources, making them highly effective and difficult to detect.

• 85% of recorded data breaches involve a human element.
• An estimated 3.4 billion phishing emails are sent daily.
• 94% of organisations were victims of phishing attacks in 2024.
• Businesses get over 1,100 social engineering attacks yearly.

How to Know Who’s Behind the Screen

As cyber threats grow more sophisticated, the question isn’t just how we protect digital systems, but who we’re protecting them from.

The threat of stolen credentials and social engineering have increased the need for greater degrees of security, with businesses needing a better way to verify identity.

Authentication is the process of confirming that a user is who they claim to be before granting access.

Unlike passwords, which can be guessed, stolen, or reused, modern authentication methods—such as multi-factor authentication (MFA), biometrics, and behavioural analysis—add layers of security that make unauthorised access far more difficult.

For businesses, this isn’t just about compliance or ticking security boxes—it’s about ensuring that the right people get in while keeping threats out.

Strong authentication builds confidence in every digital interaction without adding friction.

In a world where cybercriminals are constantly adapting, businesses that fail to evolve their authentication strategies risk leaving a hole in their security.

Authentication as a Spectrum

Authentication isn’t a binary concept—it exists on a spectrum, much like authenticity itself.

Just as something can possess varying degrees of authenticity depending on its context, authentication can range from minimal verification to highly stringent security measures.

The level of authentication required should correspond to the sensitivity of the data being accessed and the potential consequences of a breach.

A routine login, such as accessing a personal social media account, may require only a simple password or security question.

These authentication methods, while not absolute, provide a reasonable degree of security for the context.

On the other hand, gaining access to highly sensitive financial records, classified government data, or critical infrastructure requires stronger, multi-layered authentication to establish a higher degree of certainty regarding the user’s identity.

Let’s explore the different levels of authentication and how they contribute to the overall spectrum of security.

Types of Authentication

Single-Factor Authentication (SFA)

Single-factor authentication (SFA) is the most basic form of identity verification.

It relies on a single credential (usually a password or PIN) to grant access.

While easy to implement and widely used, SFA is highly vulnerable to cyberattacks, including brute-force attacks, credential stuffing, and phishing—largely due to people reusing weak passwords across multiple applications.

Despite this, SFA remains the default for many online services.

Weaknesses of SFA:

• Easily compromised – Passwords can be easily guessed or stolen.
• No backup verification – If a password is exposed, an attacker gains full access.

Due to these vulnerabilities, SFA should only be used for low-risk accounts and should always be supplemented with additional security measures.

Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) significantly enhances security by requiring two or more independent verification factors before granting access.

These factors fall into three main categories:

• Something you know (password, security question)
• Something you have (one-time passcode to a device)
• Something you are (fingerprint, facial recognition)

MFA greatly reduces the likelihood of unauthorised access.

Even if one factor is compromised (such as a stolen password), an attacker would still need the second factor, making breaches significantly more difficult.

Advantages of MFA:

• Blocks 99.9% of account compromise cyberattacks, according to Microsoft.
• Protects against phishing and credential theft, reducing reliance on passwords.
• Supports various implementations, including SMS-based codes, authentication apps, and biometric authentication.

Adaptive Authentication

Adaptive authentication, also known as risk-based authentication, dynamically adjusts security requirements based on contextual factors.

Instead of treating every login attempt the same, it evaluates the circumstances surrounding each request, using machine learning and behavioural analytics to assess risk.

Factors That Are Considered During Adaptive Authentication:

• Device reputation: Has this device been used before?
• Location analysis: Is the login attempt coming from an expected location?
• Behavioural biometrics: Is the typing speed or mouse movement consistent with the user’s usual patterns?
• Time-based risk assessment: Is this an unusual time for the user to log in?

If an attempt appears low-risk (for example, a known device in a familiar location), the user may be granted access straight away.

However, if red flags appear (such as an unusual location or an unfamiliar device), additional authentication steps may be required.

Benefits of Adaptive Authentication:

• Enhances security without unnecessary friction, improving user experience.
• Reduces reliance on passwords, shifting towards behaviour-based security.
• Identifies anomalies in real-time, preventing unauthorised access before it happens.

Next-Gen Authentication

As technology continues to evolve, two emerging methods are set to become big players within identity verification, offering enhanced security, convenience, and resistance to fraud.

Both NFC authentication and ID Document Challenges represent the next wave of authentication, moving beyond passwords and traditional multi-factor authentication.

NFC-Based Authentication

Near Field Communication (NFC) authentication is a technology that uses short-range wireless signals to verify identity.

It enables secure and contactless authentication by allowing devices to communicate when placed close together.

Benefits of NFC Authentication:

• Faster, more seamless authentication compared to traditional login methods.
• More secure than passwords, as credentials are encrypted and stored on tamper-proof hardware.
• Reduces phishing risks, since NFC tokens are device-bound and harder to compromise remotely.

NFC authentication is already used in biometric passports, mobile payments, and enterprise security access systems.

ID Document Challenge

The ID Document Challenge is an authentication method that leverages artificial intelligence to verify an individual's identity through official documents.

Benefits of ID Document Challenges:

• Enhanced fraud detection through deep learning algorithms that detect forgeries.
• Improved compliance with financial and security regulations (KYC, AML).
• Greater accessibility for users without requiring hardware like biometric scanners.

ID Document Challenges are increasingly being used for remote onboarding, financial transactions, and access to high-security environments.

Where Should Authentication Be Used?

We often think of authentication as something that happens when we log into an account—but in reality, it underpins far more than just usernames and passwords.

Every interaction in the digital world relies on trust: trust that an email is from a legitimate sender, trust that a payment is authorised, trust that a system is only accessible to those with the right permissions.

But trust alone is not enough.

Cybercriminals exploit weak identity controls to impersonate, manipulate, and infiltrate.

That’s why authentication must be embedded wherever verification is critical—across accounts, communications, transactions, and the very devices and infrastructure we rely on.

Without it, we are left guessing who is on the other side.

Let’s take a look at which specific areas authentication should be used.

Accounts & Access Control

At its simplest, authentication is about making sure that users are who they say they are before granting access.

Whether it’s personal accounts, workplace systems, or high-stakes administrative credentials, a weak authentication process is a vulnerability that cyber criminals can exploit.

Everyday logins – From email and banking to social media and cloud storage, every account is a potential target for attackers. Strong authentication is the first line of defence.

Workforce security – Employees need seamless yet secure access to workplace systems, but without proper authentication, stolen credentials could lead to major breaches.

Privileged access – IT administrators, executives, and anyone with access to critical infrastructure require stricter authentication controls—otherwise, a single compromised account could be catastrophic.

Digital Communications

Communication is fundamental to how we do business, but without authentication, it’s also one of the easiest ways for attackers to deceive and exploit.

A well-crafted phishing email can be enough to trick even the most security-conscious individuals.

Email security – Email-based attacks and breaches remain one of the largest cyber threats, with attackers exploiting a lack of authentication to impersonate trusted contacts.

Email authentication protocols like SPF, DKIM, and DMARC, as well as secure email solutions with inbuilt encryption and recipient authentication capabilities, help prevent fraudulent emails.

Messaging & collaboration platforms – Business chat tools and shared workspaces often contain sensitive information, making it critical to verify who’s participating in the conversation.

Synthetic identity fraud, where attackers create fake personas using both real and fabricated data, is increasingly being used to infiltrate systems.

Over 80% of new account fraud can be attributed to synthetic identity schemes, with the average financial loss per confirmed case reaching over $15,000.

Authentication helps ensure that individuals using these platforms are who they claim to be, reducing the risk of impersonation by these fraudulent identities.

Voice & video calls – Virtual meetings and phone calls can be manipulated using deepfake technology and social engineering.

Authentication helps verify that participants are who they claim to be.

Transactions & Payments

Financial fraud is an industry in itself, with attackers constantly evolving their methods to bypass traditional security measures.

Strong authentication isn’t just about protecting money—it’s about maintaining confidence in every transaction, whether online or in-store.

Online & contactless payments – Simple passwords and PINs aren’t enough. Multi-factor authentication, biometric verification, and cryptographic security keys provide stronger defences against fraud.

E-commerce & retail – From customer accounts to loyalty points and digital wallets, authentication ensures that only the right user can access and use their funds.

Cryptocurrency & digital wallets – Unlike traditional banking, lost or stolen crypto assets are rarely recoverable.

Authentication plays a key role in preventing unauthorised access to digital wallets and transactions.

Devices & Infrastructure

As the number of connected devices grows, so does the attack surface.

Everything from corporate networks to smart home devices need authentication to prevent unauthorised access and tampering.

Workplace & remote device security – With hybrid work now the norm, verifying employee devices before granting access to corporate networks is essential.

Internet of Things (IoT) Security – From smart thermostats to industrial control systems, IoT devices are vulnerable to attacks if authentication isn’t in place.

Healthcare & medical devices – Electronic health records, wearable tech, and even life-critical medical devices must be safeguarded against unauthorised access.

Critical infrastructure – National security assets, energy grids, and transport networks rely on authentication to prevent cyber threats from causing large-scale disruption.

Authentication and Compliance

For regulated businesses in the UK, robust authentication mechanisms (as well as other security protocols such as encryption) are not merely best practice but are mandated by various regulations.

The consequences of non-compliance can lead to legal action and financial penalties.

Data Protection Act 2018 & UK GDPR

Explicitly requires the implementation of "appropriate technical and organisational measures" to protect personal data (Article 32).

The ICO suggests that this be achieved through the use of robust encryption and recipient authentication.

FSMA 2000 & FCA Regulations

Under FSMA, financial institutions must adhere to the FCA’s operational resilience requirements.

The FCA mandates that firms have "effective systems and controls" in place to prevent data breaches and financial crime (SYSC 3.2.6R).

Network & Information Systems 2018

Applies to operators of essential services such as those in healthcare, transport, energy, and digital infrastructure.

These businesses must implement appropriate security measures to manage risks posed to network and information systems (Regulation 10).

Payment Services Regulations & PSD2

Requires payment service providers to ensure the security of customer data and financial transactions (Article 95).

This includes strong customer authentication, typically multi-factor authentication, to verify users’ identities, alongside encryption to protect payment data.

MIFID II

Financial institutions must implement effective risk management systems, including measures to secure IT infrastructure (Article 16).

This includes ensuring the confidentiality and integrity of data, preventing cyberattacks, and having robust business continuity plans.

Data Protection Act 2018 & UK GDPR

Explicitly requires the implementation of "appropriate technical and organisational measures" to protect personal data (Article 32).

The ICO suggests that this be achieved through the use of robust encryption and recipient authentication.

DORA

Requires financial institutions to ensure operational resilience by implementing strong cybersecurity measures, including secure IT infrastructure, encryption, and continuous monitoring of systems (Articles 5, 6, 7).

Doing Authentication the Right Way

The type of authentication you need to utilise will always depend on the specific situation and the sensitivity of the data being protected.

However, consumers have raised concerns about where their personal information is stored, who has access to it, and what happens if it is compromised.

Many authentication methods rely on centralised databases, which are attractive targets for hackers, raising serious privacy and security risks.

If organisations do not implement proper safeguards, they risk undermining user trust.

At the same time, authentication must remain user-friendly.

Complex security measures can slow down processes, leading to frustration and workarounds that weaken security—such as password reuse or disabling safeguards.

When authentication becomes too much of a burden, users may abandon secure platforms altogether in favour of less secure, but more convenient, alternatives.

The challenge for businesses is ensuring that security does not come at the cost of usability.

Ultimately, authentication must strike a delicate balance between robust security and seamless user experience.

The most effective solutions protect against cyber threats while minimising friction, ensuring that users feel safe without being overwhelmed by cumbersome verification processes.

FAQs

What Is the Difference Between Authentication and Encryption?

Authentication verifies that a user is who they claim to be. Encryption protects the content of data by scrambling it so that only authorised parties can read it.

Why Are Passwords Still Used If They Are So Vulnerable?

Passwords are simple and familiar, making them easy to implement. However, adding multi-factor authentication and other layers is critical for modern security needs.

How Do I Decide Which Authentication Method to Use?

Match the method’s strength to the risk level: single-factor for low-risk logins and multi-factor or adaptive methods for higher-risk or sensitive applications.

Can Authentication Stop Social Engineering Attacks?

While authentication cannot prevent every social engineering tactic, stronger verification methods (like MFA or adaptive checks) help reduce the success rate of such attacks.

References

Number of Internet Users Worldwide From 2005 to 2024, Statista, 2024

Internet Usage Statistics – Facts About the World Wide Web, CurrentWare, 2024

Cybersecurity Stats: Facts And Figures You Should Know, Forbes, 2024

120+ Password Statistics 2024-2025: Insights Into Password Security and Hacking Trends, Sprinto, 2025

125+ Password Statistics To Inspire Better Security Practices in 2025, Secureframe, 2025

30+ Password Statistics You Need To Know in 2025, Astra, 2025

85% of Breaches Involve the Human Element, HelpNet Security, 2021

The Latest 2025 Phishing Statistics (Updated January 2025), AAG, 2025

The Rise of the Synthetic Identity: A Growing Threat in the Digital Age, Global Compliance Institute, 2024

One Simple Action You Can Take To Prevent 99.9 Percent of Attacks on Your Accounts, Microsoft, 2019

Reviewed by

Sam Kendall, 24.02.2025

Sabrina McClune, 25.02.2025