Difference between revisions of "Multi-factor Authentication"

From MgmtWiki
Jump to: navigation, search
(Full Name and Scope)
(The Problems)
Line 6: Line 6:
  
 
==The Problems==
 
==The Problems==
Originally a distinction was made between [[Authentication]] (the process of determining who you are) and [[Authorization]] (the process of determine what you can access).
+
*Originally a distinction was made between [[Authentication]] (the process of determining who you are) and [[Authorization]] (the process of determine what you can access). It turns out the other "[[Authentication]]" factors may be used as a part of the [[Authorization]] step, and hence be performed by a completely different [[Entity]].
 +
*There are downsides to using another authentication factor during a sign-in process. For example if care is not taken the [[User]] could lose access to their accounts entirely. Most sites offer a back-up [[Recovery]] process, but that obviates some of the ease-of-use characteristics of factors like [[FIDO U2F]].<ref>Stuart Schechter, ''Before You Turn On Two-Factor Authentication…'' https://medium.com/@stuartschechter/before-you-turn-on-two-factor-authentication-27148cc5b9a1</ref>
  
 
==The Solutions==
 
==The Solutions==

Revision as of 15:31, 15 August 2018

Full Name and Scope

Originally known as Two-factor Authentication, Multi-factor Authentication (MFA) covers a wide range of technologies designed primarily for strong assurance as to the either the real-world identity, or at least a persistent identity, for purposes of establishing the authorization from an individual to a online resource of some type. This concept is in the process of morphing into a more general proofing process.

Context

As a part of authorizing a Subject to access a digital resource the Web Site hosting that resource will need to acquire a set of Claims that apply to the Subject for the duration of the access. While this Authorization process can begin with the Authentication of the Subject with something as simple as a statement from the Subject, additional steps may be necessary including using other Authentication factors. Standards like NIST SP 800-63 address this need as a part of the Authentication process by requiring the additional factors prior to attempting access. Most commercial Web Sites use a hybrid approach where Authentication is minimal and additional factors are address as needed to avoid early drop off by Consumers of their resources.

The Problems

  • Originally a distinction was made between Authentication (the process of determining who you are) and Authorization (the process of determine what you can access). It turns out the other "Authentication" factors may be used as a part of the Authorization step, and hence be performed by a completely different Entity.
  • There are downsides to using another authentication factor during a sign-in process. For example if care is not taken the User could lose access to their accounts entirely. Most sites offer a back-up Recovery process, but that obviates some of the ease-of-use characteristics of factors like FIDO U2F.[1]

The Solutions

A broad range approach to multi-factor Authentication will need to address processes that occur during Authentication as well as processes that occur later during the Authorization step. This distinction becomes blurred, especially in Sites with different requirements for different resources.

As originally conceived, MFA was primarily a means to increase the assurance of an authentication being accurate. The technique of having multiple factors is in the process of changing into one that is used by Authorization services to determine if users have specific Attributes or Proof of Possession of some secret supplied by the Resource owner.

References

  1. W3C Credential Management Level 1 describes an imperative API enabling a website to request a user’s credentials from a user agent, and to help the user agent correctly store user credentials for future use.
  2. U2F
  3. Web Authentication: An API for accessing Public Key Credentials Level 1 defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.
  4. WebAuth an effort is to define a simple challenge-response authentication mechanism for PKI (X509) roll-outs, with a standardized token format for transporting the claim and a standard API for website developers to request for that authentication token, to overcome a set of issues present with client certificate authentication in the web context.
    1. Stuart Schechter, Before You Turn On Two-Factor Authentication… https://medium.com/@stuartschechter/before-you-turn-on-two-factor-authentication-27148cc5b9a1