Multi-factor Authentication

Wednesday , 2, October 2019

You’ve probably heard of two factor authentication, commonly referred to as two factor auth, or simply 2FA. It literally means using two different things to authenticate. Authentication is proving that you are who you claim to be, and providing two distinct forms of credentials is highly recommended. Not all 2FA varieties are equal however, so we’re going to examine this in a bit more detail.

The bottom line is that when 2FA is available, you should try to use it because it provides much stronger security. You might not realize it, but you are already familiar with common forms of two factor authentication. Perhaps you work in a secure area and use both a badge and a passcode to gain access. The badge is one factor, and the passcode is a second factor. This illustrates the main point of 2FA – it is not sufficient to simply have the physical badge, which might be stolen – an attacker would need to know the passcode you carry in your head as well.

Another common example is getting cash from an ATM, which typically requires a user to insert a physical card, but also requires a PIN number. Again we have two separate things needed, which makes it much more difficult to compromise.

In general we say that multi-factor authentication, which could be 2FA or more than 2 factors, requires using a combination of distinct factors:
1. something you know
2. something you have
3. something you are
and sometimes you’ll encounter people saying somewhere you are as a fourth. Something you know is like a password or PIN code. Something you have could be like the badge or ATM card in our earlier examples. Something you are implies biometric identification, like using a fingerprint or an iris scan to authenticate.

One thing we need to emphasize is that the factors need to be different, in multi factor authentication. If both factors are on your smartphone, or in your head, or written on a piece of paper in your wallet then you are using the weakest form of 2FA. Ideally both factors are not the same type and are secured differently as result. In other words, if one is something memorized, the other might be a physical object.

Another important idea here is the realization that not all possible choices are equal. Memorized passcodes, fingerprints, physical token generators like Yubikeys,authentication codes or tokens generated on your smartphone, physical keys or badges and more are all different, and should be considered carefully. It is appropriate to choose one physical device and one memorized code, for example, as we mentioned earlier. But beyond the separation of the two factors by type, it’s important to consider how secure each is.

SMS, the common text-messaging format is not considered a good choice. Having said that, if this is your only choice it is stronger security than using a single factor. But you should realize that SMS messages are sent in plaintext across the phone carrier’s network, and as such may be stored by the gateway or read by an eavesdropper who might be able to authentcate as you in an attack. There have also been attacks based on malicious SMS messages, in particular against Android mobile devices. Finally, there is the issue of latency. The SMS protocol makes no assurances about timely delivery of messages, and sometimes they can be substantially delayed.

Biometric identifiers should not be considered a good choice either, for reasons we cover in greater detail in a chapter dedicated to that topic. Despite issues involving forgeries, privacy concerns, and data security, fingerprints and retinal scans and such are better than nothing as a second factor.