What determines the effectiveness of the authentication process?

Authentication is analogous to using a key to open a lock, and followingly, multi-factor authentication is similar to protecting the property with multiple locks. With cyber attacks and data breaches becoming a growing risk, the concern is no longer "should we use multiple locks to protect our property" but "how to combine different locks to maximize their functions to build the best safeguard to protect our property".

As mentioned in previous articles, authentication is a secure process to ensure that access to the system is granted to the correct user who requested it. A network service should be used by the correct authorized user and it must make an effort to detect and deny access to unauthorized users. Today, as users of smart devices and electronic services are rapidly growing, demand for authenticating users to protect intellectual property, data privacy, payment details, and other sensitive information is urgent and important.

What determines the effectiveness of the authentication process?

The answer is the Authentication Server (AS) that facilitates authentication of an entity that attempts to access a network. Each AS is integrated between the front-end (the friendly-user interface that most users see) and back-end server (the brain of the server responsible for analyzing, comparing and authenticating credentials to determine if the user can be allowed to access the system). The back-end server is the deciding factor that dictates the accuracy, seamlessness, and effectiveness of the AS. When there is a sudden and unexpected occurrence such as a huge number of users sending requests at the same time or even one part of the server is down, the back-end server is responsible for ensuring the entire server still functions as per normal.

An AS is considered effective if they meet the minimum requirements below:

Digibank CMS- Sample image floating

Authentication accuracy: Of course, AS have to satisfy this requirement as no one will trust an AS that wrongly authenticates users. Regardless of 1FA or MFA, AS must authenticate the right credentials with the right user. With rapid development in authentication technology, AS must be upgraded regularly to authenticate not only username and password but also the new credentials based on biometrics (e.g. fingerprint, iris, vein or gait, etc.) and to use increasingly sophisticated algorithms to strengthen the security of the system.

- Complies with international standards: AS must meet the international standards on authentication such as OATH OCRA Oath Challenge-Response Algorithms​ (RFC 6287) to generate OTP, standards on requirements of length and complexity of encryption key; data encryption, length of OTP RSA key, and many other advanced standards. In Vietnam, there are some standards that AS must comply with when generating OTP according to Decision No. 630/QD-NHNN and Circular No. 35/2016/TT-NHNN amended and supplemented by Circular No. 35/2018/TT-NHNN on safety and confidentiality over provision of banking services on the internet.

- Fast processing time: Authentication is a step to authenticate users’ credentials before authorizing users access, so the authentication process must have fast processing and response time and keep lag time to a minimum to provide the best user experience and not to lose customers impatient with waiting.

Digibank CMS- Sample image floating

- High availability (HA): The high-end AS must predict all the potential risks and errors that can occur in the future to prepare for plans of backup devices, data, supply and many other considerations to be ready for all potential incidents. AS must ensure that any incident will not affect the user experience and compromise the security of the system and user data.

By satisfying the four requirements above, the AS is able to be the foundation for an effective and safe authentication step without compromising user experience. In addition, depending on their specific needs in relation to these requirements, the customers can obtain information about what other factors they need to consider when they choose an AS to implement in their system to optimize their budget and even take advantage of AS to increase their own customers’ trust in them.

One of the leading Authentication Servers - TurnSteel (TAS) is designed to meet government and financial institutes’ stringent security and high availability specifications for digital identification. It has been deployed and is currently providing both one-factor authentication (1FA) and second-factor authentication (2FA) login for various web portals, Virtual Private Networks (VPN), operation systems, logins, network devices and emails in government, financial institutes and online healthcare services. TAS is able to support both 1FA and 2FA operations using a variety of digital tokens like hardware tokens, software tokens, mobile SMS one-time password (OTP), digital certificates.

TAS can also integrate with existing users identity stores (for example: Windows Active Directory) to enable a seamless login experience for users and application developers. TAS simplifies the IT operation with its fault-tolerant design that supports regular system maintenance without authentication services down-time. Its self-service and user-friendly management dashboard can generate various authentication transaction reports as well as enable users to search for specific transaction records.

More about TAS here


1. https://tools.ietf.org/html/rfc62872.
2. Decision No. 630/QD-NHNN promulgation of the plan for application of security measures to online payment and card payment.
3. Circular No.35/2016/TT-NHNN on safety and confidentiality over the provision of banking services on the internet amended by Circular No. 36/2018/TT-NHNN .