Critical Look at Myths and Practices of Multi-Factor Authentication (MFA)
Online user authentication has evolved from basic passwords alone protecting the online accounts to various combinatorics in practice. This led to severe “noise” and “fuzziness” around authentication. Needless to say that large monetary incentives is driving the “marketing noise”.
Let us first look at the introduction of “factor” in to the authentication space. The genesis for all this is the underlying and inherent attributes of the secret — “Password”.
Passwords are something always perceived as “personal” first, and it’s a secret that no one knows except the user and the authentication system on the other end of the online system. As the everyday hacks on passwords became more prevalent, be it any one or a combination of the below
· social engineering, aka Phishing
· sophisticated interception and spoofing
· rainbow attacks on the offline copies of password databases (hashes and salts)
· simple automatic and methodical guessing
the “factor” bandwagon arrived.
Let us recite Multi-Factor
1. First factor — what you know (hopefully no one knows it)
2. Second factor — prove that you possess something verifiable
3. Third factor — your unique biometrics
4. Fourth factor — your location
5. Fifth factor — your behavioral attributes
6. Sixth factor — to be invented or discovered soon …
First factor — for those who use password manager in some form, whether it is browser storing your secret passwords (almost all browsers support this feature), or using a keychain as in MacOS, or using a password vault in cloud or on your desktop, the secret no more resides in your human brain.
Let us look at it up close further — “your secret no more is residing in your human brain”. It means your machine (hw/sw) is remembering for you. As such “Passwords” the static strings are no more in compliance with the definition of 1st Factor!
As such, the so-called password 1st factor has now virtually become a second factor as per the definition — what you possess, a password storing browser or keychain or vault or simple notebook with all passwords written.
Before looking closer at 2nd factor, let us consider the 3rd factor — biometrics.
Third factor -As we have witnessed in the early days, storage of exact and in-total biometrics in the digital form can be exposed to hackers and thus making the exposed biometrics use-less for the lifetime.
Based on the above identified risk, most solutions that deal with biometrics as 3rd factor, utilize a plethora of transforming algorithms that capture a unique “footprint” of the underlying biometric for user authentication.
What this translates into is, even though a user biometric is fed as an input, ultimately it is the “transformation algorithm” residing in the hardware is driving the authentication.
Since almost all biometrics deal with localization of the user biometrics, it again boils down to what the user is in possession — virtually a second factor, what you possess, e.g., your iPhone.
So far, based on the above observations, that 1st and 3rd factors virtually transformed into the 2nd factor requirements/definition.
Now a final note on 2nd factor, proof of what you possess, all the 2nd factor schemes send a digitized version of the proof. Be it one-time passcode or app-based approval or a digital signature, all are the various forms of proof of 2nd factor possession.
All these forms of proof of possession suffer from “bearer” attribute, meaning, submitter can authenticate, irrespective of source and original 2nd factor possessor. Such a spoofing can result in account compromise as we have witnessed with SMS, OTP, Out-of-band approvals.
In this context, a new concept of bearer-aware anti-spoof 2nd factor scheme would completely eliminate the possibility of account take overs without necessarily changing the user experience. This is same as carrying cash versus travelers checks which trace back the ownership to the original recipient of the travelers checks. With such bearer-aware 2nd factor tokens, users need not worry about theft as they would not work for other than the source user.
