Difference between revisions of "Multi-factor Authentication"

Revision as of 10:43, 18 April 2021

Full Name and Scope

Originally known as Two-factor Authentication (2FA), Multi-factor Authentication (MFA) covers a wide range of technologies designed primarily for strong assurance as to the either the real-world identity, or at least a persistent identity, for purposes of establishing the authorization from an individual to a online resource of some type. This concept is in the process of morphing into a more general proofing process.

Context

As a part of authorizing a Subject to access a digital resource the Web Site hosting that resource will need to acquire a set of Claims that apply to the Subject for the duration of the access. While this Authorization process can begin with the Authentication of the Subject with something as simple as a statement from the Subject, additional steps may be necessary including using other Authentication factors. Standards like NIST SP 800-63 address this need as a part of the Authentication process by requiring the additional factors prior to attempting access. Most commercial Web Sites use a hybrid approach where Authentication is minimal and additional factors are address as needed to avoid early drop off by Consumers of their resources.

The Problems

• Originally a distinction was made between Authentication (the process of determining who you are) and Authorization (the process of determine what you can access). It turns out the other "Authentication" factors may be used as a part of the Authorization step, and hence be performed by a completely different Entity.
• There are downsides to using another authentication factor during a sign-in process. For example if care is not taken the User could lose access to their accounts entirely. Most sites offer a back-up Recovery process, but that obviates some of the ease-of-use characteristics of factors like FIDO U2F Security Tokens.^[1]
• The most common second factor in use in 2017 is the use of the phone number to contact the user. This factor starting in the 1980's with call-back devices prior to establishing a modem connection. Today the most common usage is the SMS message sent to a cell phone. The essential problem is that phone companies have never accepted any responsibility for the security of the phone number and numerous cases of successful attacks against the use of the phone number as a Recovery mechanism on user's access to valuable resources.^[2]
• When more than one factor is independently crated, there is always a new attack point created. This became very clear when the Duo 2FA was tricked into sending authentications to the wrong subject.^[3] This attack emphasizes the importance of proper binding among all of the factors used in authentication.

The Solutions

A broad range approach to multi-factor Authentication will need to address processes that occur during Authentication as well as processes that occur later during the Authorization step. This distinction becomes blurred, especially in Sites with different requirements for different resources.

As originally conceived, MFA was primarily a means to increase the assurance of an authentication being accurate. The technique of having multiple factors is in the process of changing into one that is used by Authorization services to determine if users have specific Attributes or Proof of Possession of some secret supplied by the Resource owner.

Standard categories of Authentication Factors

1. Something you know, like a password
2. Something you have, like a U2F key or Smart Card
3. Something you are, like a Biometric Attribute (typically finger print or face)

Note that User Name is not listed as an authentication factor, but it is certainly enough to start building a Trust Vector as described in Bayesian Identity Proofing.

References

1. ↑ Stuart Schechter, Before You Turn On Two-Factor Authentication… https://medium.com/@stuartschechter/before-you-turn-on-two-factor-authentication-27148cc5b9a1
2. ↑ Lorenzo Franceschi-Bicchierai The SIM Hijackers https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin
3. ↑ John Leyden, Researchers trick Duo 2FA into sending authentication request to attacker-controlled device (2021-04-21) Portswigger https://portswigger.net/daily-swig/amp/researchers-trick-duo-2fa-into-sending-authentication-request-to-attacker-controlled-device

Other Authentication factors and external links

1. W3C Credential Management Level 1 describes an imperative API enabling a website to request a user’s credentials from a user agent, and to help the user agent correctly store user credentials for future use.
2. FIDO U2F or universal second factor.
3. Web Authentication: An API for accessing Public Key Credentials Level 1 defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users.
4. WebAuth an effort is to define a simple challenge-response authentication mechanism for PKI (X509) roll-outs, with a standardized token format for transporting the claim and a standard API for website developers to request for that authentication token, to overcome a set of issues present with client certificate authentication in the web context.
5. Good UX Practices for 2 factor Authentication also discusses drop off from using other authentication factors.