Multi-factor Authentication

Full Name and Scope

Originally known as Two-factor Authentication (2FA), Multi-factor Authentication (MFA) covers a wide range of technologies designed primarily for strong assurance as to the either the real-world identity, or at least a persistent identity, for purposes of establishing the authorization from an individual to a online resource of some type. This concept is in the process of morphing into a more general proofing process.

Context

As a part of authorizing a Subject to access a digital resource the Web Site hosting that resource will need to acquire a set of Claims that apply to the Subject for the duration of the access. While this Authorization process can begin with the Authentication of the Subject with something as simple as a statement from the Subject, additional steps may be necessary including using other Authentication factors. Standards like NIST SP 800-63 address this need as a part of the Authentication process by requiring the additional factors prior to attempting access. Most commercial Web Sites use a hybrid approach where Authentication is minimal and additional factors are address as needed to avoid early drop off by Consumers of their resources.

The Problems

Originally a distinction was made between Authentication (the process of determining who you are) and Authorization (the process of determine what you can access). It turns out the other "Authentication" factors may be used as a part of the Authorization step, and hence be performed by a completely different Entity.
There are downsides to using another authentication factor during a sign-in process. For example if care is not taken the User could lose access to their accounts entirely. Most sites offer a back-up Recovery process, but that obviates some of the ease-of-use characteristics of factors like FIDO U2F Security Tokens.^[1]
The most common second factor in use in 2017 is the use of the phone number to contact the user. This factor starting in the 1980's with call-back devices prior to establishing a modem connection. Today the most common usage is the SMS message sent to a cell phone. The essential problem is that phone companies have never accepted any responsibility for the security of the phone number and numerous cases of successful attacks against the use of the phone number as a Recovery mechanism on user's access to valuable resources.^[2]
When more than one factor is independently created, there is always a new attack point created. This became very clear when the Duo 2FA was tricked into sending authentications to the wrong subject.^[3] This attack emphasizes the importance of proper binding among all of the factors used in authentication.

Exploits

Unfortunately, Google employs dark patterns to convince you to sync your MFA codes to the cloud, and Retool employee had indeed activated this “feature”. If you install Google Authenticator from the app store directly, and follow the suggested instructions, your MFA codes are by default saved to the cloud. If you want to disable it, there isn’t a clear way to “disable syncing to the cloud”, instead there is just a “unlink Google account” option. In the Retools corporate Google account, there is also no way for an administrator to centrally disable Google Authenticator’s sync “feature”. (2023-09-15)
Microsoft: Phishing bypassed MFA in attacks against 10,000 orgs (2022-07-12) Microsoft says a massive series of phishing attacks has targeted more than 10,000 organizations starting with September 2021, using the gained access to victims' mailboxes in follow-on business email compromise (BEC) attacks.

Fraud

The assumption that all users can understand who MFA works is an example of pushing security concerns onto the user and declaiming any liability if the user cooperates. Here’s how the scam works:

You get a text message that says, “Are you sure you want to send a wire transfer of $5,000 to Jack Rowen? Please text Yes or No”
You reply “no”
They then call you back from a number they’ve spoofed to show up as your bank on caller ID.
The person says “Hi I’m from Your bank, did you initiate a wire transfer to Jack Rowen, was it you?”
You say “No, it was fraud”
The caller says “Ok I need to block the wire, but in order to do so I need to confirm you are who you say you are. So we’re going to send a code to your phone and we need you to read the code back to me.”
Once that code is read back - the damage is done as the bank cannot validate you beyond our device. This is the major flaw with every security vendor out there that bases their security on device and assumptions.

What the fraudster actually did was initiate a password reset on my wife’s account, which sent the 2FA code to her phone. Once she gave them the code - thinking it’s really the bank, and while the fraudsters stalled her on the phone, they reset her password, took over her bank account, and proceeded to send $4,995 Zelle payments out to 22 accounts. The bank did not catch the fraud until the account was drained.

Unfortunately the bank said we were on the hook since she provided the 2FA code, so we lost over $55,000. You can watch similar stories on NBC, 20/20, CBS - it’s happening to innocent people across the country.

All because 2FA is a garbage, easy to hack solution to account security. One of the main reasons why I joined authID. The companies I worked for in the past could not have stopped this.

Regulators in Washington DC, however, are beginning to demand that banks do more to protect their customers. Financial liability - This should change the way banks handle this fraud.

The Solutions

A broad range approach to multi-factor Authentication will need to address processes that occur during Authentication as well as processes that occur later during the Authorization step. This distinction becomes blurred, especially in Sites with different requirements for different resources.

As originally conceived, MFA was primarily a means to increase the assurance of an authentication being accurate. The technique of having multiple factors is in the process of changing into one that is used by Authorization services to determine if users have specific Attributes or Proof of Possession of some secret supplied by the Resource owner.

Standard categories of Authentication Factors

Something you know, like a password
Something you have, like a U2F key or Smart Card
Something you are, like a Biometric Attribute (typically finger print or face)

Note that User Name is not listed as an authentication factor, but it is certainly enough to start building a Trust Vector as described in Bayesian Identity Proofing.

References

↑ Stuart Schechter, Before You Turn On Two-Factor Authentication… https://medium.com/@stuartschechter/before-you-turn-on-two-factor-authentication-27148cc5b9a1
↑ Lorenzo Franceschi-Bicchierai The SIM Hijackers https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin
↑ John Leyden, Researchers trick Duo 2FA into sending authentication request to attacker-controlled device (2021-04-21) Portswigger https://portswigger.net/daily-swig/amp/researchers-trick-duo-2fa-into-sending-authentication-request-to-attacker-controlled-device

Multi-factor Authentication

Contents

Full Name and Scope

Context

The Problems

Exploits

Fraud

The Solutions

Standard categories of Authentication Factors

References

Other Authentication factors and external links

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools

Sidebar Links