We’re all used to using passwords as an authenticator. However, passwords have a number of problems. In particular people tend to re-use them on other sites (so if one website was broken into the password used there may also work on another site). Also passwords are susceptible to replay attacks (even if you force a password change every 90 days, there’s still a large window of time where a stolen password can be used).
To mitigate this risk, a second factor may be used.
What is multi-factor authentication.
Typically we look at authentication tokens as being classed in one of three ways. Collequially these are termed:
- Something you know. Typically this is a password
- Something you have. Maybe a physical token of some form
- Something you are. This is form of biometric, such as a fingerprint
These are sometimes jokingly referred to as “something you’ve forgotten; something you’ve lost; something you’ve had chopped of”.
Multi-factor authentication is where 2 or more different factors are used. The “different” part is important. If, for example, we used two passwords (two “something you know” factors) then we are not any stronger than if we forced one larger password.
e.g. if password1 was “hello” and password2 was “there” then we have the same as if we only had “hellothere” as the password. Indeed, depending on the implementation, it may be weaker!
You probably already use two factor authentication in your every day life; each time you go to the ATM to withdraw cash you are presenting two factors:
- Something you know (the PIN)
- Something you have (the card you enter into the machine).
Two Factor Autentication (2FA)
Here you present two factors to the system. Both of these factors are checked, and if you’ve entered them correctly then you are let in.
Critically, for 2FA, if you get either factor wrong then you are not told what factor is wrong.
Weaker 2FA
This is very similar to 2FA, but the two authenticators are checked separately and you are told what one is wrong. This is weaker than 2FA because each factor can be attacked separately.
An example of this might be a web site where you are asked to enter your password. If you get your password correct then you are asked to enter a PIN, but if you get the password wrong then you are told to re-enter the password. You can keep on attacking the password until you are asked for a PIN; once you get the PIN prompt you know the password is correct.
To complicate things slightly, sites such as the AWS web console ask for passwords and PINs separately, but they always ask for the PIN whether you get the password correct or not, so this is, potentially, strong 2FA.
A common strong form of “something you have” is an RSA SecurID token.
This device generates a number based on the current time and a secret unique to the device. It’s a string One Time Password (OTP) generator, and is one of the most common “something you have” tokens. Unfortunately each company would typically require a unique RSA token and they need replacing every few years, so you could end up carrying a lot of these around. To try and solve this problem there’s now software versions of these keys (“soft token”) that may be tied to a device (e.g. using the phone device ID) and require a PIN to unlock, but they could be stolen…
One “something you have” token I like the idea of is the YubiKey FIDO U2F.
This uses public key crypto in a clever way, to allow the same key to be used on multiple sites and is really cheap. Unfortunately client side support is poor at the moment and worse, from my perspective, many organisations are locking down USB ports (for good reason) and so making use of these devices hard to introduce.
I’m not so much of a fan of biometrics (“something you are”). Fingerprints are the most common, but some voice response systems are now attempting voice recognition as a second factor, and retina scan systems also exist. The problem I have with these is that they’re hard to revoke. What happens if your fingerprint gets stolen (you leave a million copies lieing around every day!); you can’t really change it! It may be good enough to unlock your phone, but I wouldn’t use it as a single factor.
Two step verification (2SV)
2SV is very similar to 2FA in that it asks for two authenticators. In this case, though, the second authenticator is typically a OTP transmitted to you out of band. A common example is the first time you login to your bank web site from a new machine (or new browser); it might want to send you a one time number via SMS to your phone that you need to type into the website.
Superficially, this looks like 2FA. You need to have your phone to receive it, surely?
The problem is in that assumption, that you need to have the phone to use the OTP. You don’t; it could have been intercepted in transit, or you might have entered it into a phishing site, or you set up your phone so that SMS messages are diverted to a mailbox and just protected by a password…
Effectively this form of authenticator is just a complicated form of “something you know”.
Factor strength.
We’ve all seen websites that tell you rules for setting up a password. This is based on the idea of making this factor “strong”. After all, a password that’s 50 characters long and written in emoji is stronger than “hello”… right? Unfortunately many of these rules forget that humans have to remember the password, and could be counter-productive.
However the concept of the strength of a factor is important. Multi-factor authentication requires strong factors; but strong is relative to the use case.
Let’s take PINs on an ATM card; that may only be 4 digits long, which sounds really weak! But in this use case the card may be rejected (or even retained by the machine) after 3 failed attempts. So our theoretically 10,000 entries has a 1 in 3,333 chance of being guessed. That seems small, but it’s actually pretty good. If we increased the minimum PIN length to 6 we may be 100 times stronger, but now its a lot harder for people to remember and so there’s a greater chance that it’ll be written down and kept in the wallet along with the card.
On the other hand, 4 digit PINs may not be suitable for a OTP sent as part of a 2SV process and we don’t need to remember this for a long time, so longer 8 digit PINs may be acceptable.
The use case is important in determining the strength of a factor.
Conclusion
A good MFA solution can strengthen the security of an environment; even a 2SV solution (e.g. Google Authenticator 2SV) is much better than just requiring a password. I use Google Authenticator on my own servers if coming from an untrusted source.
A large enterprise should require 2FA for staff entering their network from the internet (eg setting up VPNs, or remote desktop). For an individual you may wish to setup 2SV on your email account (especially since password reset emails are sent to them!). For your retro-computing web forum, though, you may not want to go to the effort.
I’d like to see FIDO U2F get more adoption; Firefox doesn’t seem to have it yet, but it looks like more vendors are planning it. It’s a cheap, simple solution to the “something you have” problem.