Enhancing Security with Multi-Factor Authentication
Written on
Multi-Factor Authentication (MFA) is a vital security measure that goes beyond traditional password-only authentication. While most sites rely solely on a password for user verification, incorporating multiple authentication elements—known as "factors"—significantly enhances security. These factors can be categorized into three main types:
- Something you know: A password
- Something you have: A password token or a device such as a smartphone
- Something you are: Biometrics
When two factors are employed, it is referred to as Two-Factor Authentication (2FA), which represents the simplest form of MFA.
This article will help you understand the advantages of MFA and how you can implement it effectively. Let’s dive in!
What Benefits Does MFA Offer?
Imagine you are managing a large bank with thousands of clients who rely on your online services. To ensure that clients can access their account information securely, it is essential to verify their identity.
Typically, this verification occurs through a username and password. The username indicates the identity claimed by the user, while the password provides access to information that only the legitimate user possesses.
However, password-based authentication carries risks, particularly from malware like keyloggers. These malicious programs capture every keystroke, exposing usernames and passwords to attackers, who can then compromise accounts.
Another risk arises when users leave their devices unlocked while logged in. Implementing a requirement for any authentication factor—whether a password or an alternative—during critical actions, such as fund transfers, can mitigate potential issues. While a second factor may be more convenient, it also strengthens security.
Replay attacks involve duplicating a legitimate request. By using a time-sensitive second factor, the chances of such attacks can be reduced. While MFA should not solely address replay attack vulnerabilities, it can complicate their execution.
MFA also increases resistance to phishing attacks, especially when time-based. Users might inadvertently share their passwords or a one-time password, but it is unlikely they would send physical devices to attackers—at least, one hopes!
Understanding "Something You Know"
The first factor, "something you know," typically refers to a password, but it can encompass other forms of knowledge as well.
Consider the process of altering a flight reservation over the phone. Airlines will typically request a booking reference and personal details about the passenger, such as name, date of birth, or identification number, rather than a password. This presents a concern as such information may not be treated as confidential by the user.
A similar scenario occurs in insurance and healthcare settings, where providing personal information can lead to unauthorized access. Fortunately, the motivation for attackers to exploit this weak form of authentication is limited—beyond personal vendettas.
Exploring "Something You Have"
When you sign up for a service, you typically demonstrate access to your email through a verification code sent to that address.
This verification method can apply to emails, physical mail, and phone numbers, establishing your ownership of those contact points. However, access can change, such as when switching phone providers or moving residences, necessitating that websites allow for updates.
More secure alternatives for "something you have" include security keys/cards and time-based one-time password (TOTP) applications. Yubico is a prominent provider of security keys, while Google Authenticator is a popular TOTP application.
Phasing Out: TAN Lists & SMS Codes
Two outdated methods are TAN lists and SMS-based codes. TAN lists, used by banks, involve sending a series of codes via mail that users must reference for transactions. This method is cumbersome and raises security concerns, as mail can be intercepted.
SMS codes are also problematic, as they lack encryption, leaving messages accessible to mobile carriers. Additionally, there have been instances of phishing where attackers convinced carriers to issue duplicate SIM cards.
Time-Based One-Time Passwords
TOTP provides users with a one-time password through an app on their smartphones.
Alternative TOTP applications include Twilio Authy, LastPass Authenticator, Yubico Authenticator, and Microsoft Authenticator.
When using TOTP, users pair the app with the web service by scanning a QR code. The app then generates passwords that are valid for a limited time, typically around 30 seconds.
The underlying mechanism is defined in RFC 6238, which outlines the following steps:
- The server and device share a secret, usually a long random string.
- Both parties synchronize their time, typically through the Network Time Protocol (NTP).
- The shared secret and time are used to generate a current one-time password.
Here's a simple function illustrating key derivation:
import time
def derive_key(shared_secret, time_step=30):
unix_time = int(time.time())
time_bucket = (unix_time - unix_time % time_step) // time_step
return sha512(shared_secret + str(time_bucket))
The time bucket updates every 30 seconds, and while minor discrepancies can occur between server and device times, they shouldn't be significant.
Importantly, the device does not require internet access after the initial setup; it needs to securely store the shared secret.
However, there are two drawbacks to this second factor:
- Inconvenience: Users must have the device on hand, which is only an issue if it isn’t their smartphone.
- Lost device: Users may misplace or damage their device.
Security Keys and Smartcards
Yubico keys are among the most recognized options and are user-friendly, compatible with various operating systems, including Linux. Many services support Yubico keys via FIDO2/WebAuthn, although some lesser-known browsers may lack support.
Smartcards function similarly, featuring a chip that processes data rather than just sending an identifier. Authentication via smartcards follows a challenge-response model:
- The authenticating device issues a random number, known as a "challenge."
- The smartcard returns a package containing the card's identifier, public key, signed challenge, and possibly a certificate.
- The device verifies the signature against the public key and challenge.
- The device checks that the identifier is authorized for the requested action.
This process is secure, as the private key remains confined to the card—neither the user nor the card manufacturer should have access to it.
Understanding "Something You Are"
Biometric authentication, once a concept relegated to science fiction, has become commonplace in smartphones. Fingerprint scanners have been integrated into laptops for years, while facial recognition technology has surged in popularity.
Various biometric methods can be employed for identification, including:
- Eyes: Iris and retinal scans
- Hands: Fingerprints, palm veins, hand geometry
- DNA
- Voice
- Behavior: Walking patterns, typing styles, and gaming actions
The primary benefit of biometrics is that this information cannot be misplaced. However, it is vulnerable to forgery. For instance, shortly after the release of a fingerprint-enabled iPhone, researchers demonstrated the ability to replicate fingerprints. As a result, online services have been cautious in adopting biometrics for authentication due to the potential for manipulation.
Conversely, biometric verification can be highly effective for identification when conducted in a controlled environment. For instance, it would be challenging to fake a DNA sample or palm vein scan under direct supervision.
Behavioral recognition is particularly intriguing. Imagine needing to complete a game of Super Mario before transferring substantial funds. This type of verification would be hard to replicate, even if you wished to share it with an attacker.
Feel free to share any additional MFA methods you may know!