Wednesday, April 1

On Multi-factor Authentication

Luther Martin of Voltage Security posted a very interesting post on the future of multi-factor authentication. In it, he challenged commonly held beliefs on the subject. Specifically, he writes:
It’s often claimed that multi-factor authentication is inherently more secure than single-factor authentication, but if you look at the history of this claim,it actually came from a vendor that wanted to make their multi-factor authentication product sound better than competitors' products.
(I'm not sure if these are his thoughts or if he's saying that was the consensus at a recent X9 meeting.)

Martin goes on to suggest that using two authentication mechanisms of the same factor may be as secure as using two factors and lays out scheme A & B to discuss.

So here's my thoughts:

Wouldn't scheme A be more secure because you can't brute force it? Isn't that the whole point of having the second factor? All passwords can be brute-forced given enough time. Having the second factor removes that threat.

Of course, you could implement a strong password plus a kill switch after 10 bad tries, but that still relies on the user to implement safe password storage. And I generally think it's better to remove any responsibility from the end-user (especially if there's a convenience trade off).

Requiring users to carry/remember two username-password combinations for every system doesn't seem practical. Security will fail if users try to subvert it for the sake of convenience. And they will.

Usability needs to be a key consideration. A token/pin combination is a secure and easy-to-use way to beat the threat of brute-force attacks and poor password management. is having a certificate installed on a particular PC and other second factor solutions.


Anonymous said...

I also question if this isn't multi factor in sheep's clothing, if you will. does factor = method or does factor = unique challenge mechanism? because if you have two distinct passwords, aren't those two unique challenges? which would make them two factors. of course, that's all academic, really.

Matt Flynn said...

I always thought factor to mean type of authentication mechanism. And honestly, I'm wrestling with Luther's original point that two challenges with the same factor may be as secure as two with different factors. It may depend on which factor.

Two tokens can be easily used when the owner isn't around. But two bios (fingerprint/eye) seem pretty secure. As would password + PIN on a purely cryptographic level.

We continued the discussion at his original post.