Multi-factor authentication

Multi-factor authentication ( MFA ) - advanced authentication , a method of controlling access to a computer in which a user must provide more than one “evidence of the authentication mechanism” to gain access to information. The categories of evidence include:

Knowledge is information that the subject knows. For example, password, PIN .
Possession is a thing that a subject possesses. For example, an electronic or magnetic card, token, flash memory.
The property that the subject possesses. For example, biometrics, natural unique differences: face, fingerprints, iris, capillary patterns, DNA sequence.

Authentication Factors

Main article: Authentication

Even before the advent of computers, various distinctive features of the subject were used, its characteristics. Now the use of one or another characteristic in the system depends on the required reliability, security and cost of implementation. There are 3 authentication factors:

The knowledge factor, something we know is the password . This is secret information that only an authorized subject should possess. The password can be a speech word, a text word, a combination for a lock or a personal identification number ( PIN ). The password mechanism can be quite easily implemented and has a low cost. But it has significant drawbacks: it is often difficult to keep a password secret, attackers constantly come up with new ways to steal, crack and crack a password (see gangster cryptanalysis , brute force method ). This makes the password mechanism insecure. Many secret questions, such as “Where were you born?” Are elementary examples of the knowledge factor, because they can be known by a wide group of people, or be researched.
The ownership factor, something we have is an authentication device . It is important that the subject possesses some unique object. This can be a personal seal, a key to the lock , for a computer it is a data file containing a characteristic. The characteristic is often built into a particular authentication device, for example, a plastic card , a smart card . It is becoming more difficult for an attacker to get such a device than to crack a password, and the subject can immediately report if the device is stolen. This makes this method more secure than the password mechanism, but the cost of such a system is higher.
The factor of property, something that is part of us is biometrics . A characteristic is the physical characteristic of the subject. This can be a portrait, fingerprint or palm , voice or eye feature . From the point of view of the subject, this method is the simplest: you do not need to remember a password or carry an authentication device with you. However, the biometric system must be highly sensitive in order to confirm an authorized user, but reject an attacker with similar biometric parameters. Also, the cost of such a system is quite high. But, despite its shortcomings, biometrics remains a rather promising factor.

Security

According to experts, multi-factor authentication dramatically reduces the possibility of identity theft online, as knowing the victim’s password is not enough to commit fraud. However, many multi-factor authentication approaches remain vulnerable to phishing , person-in-browser, and person in the middle .

Main article: Authentication

Choosing one or another authentication factor or method for the system, it is necessary, first of all, to proceed from the required degree of security, the cost of building the system, and ensuring the mobility of the subject.

You can give a comparison table:

Risk level	System requirements	Authentication technology	Application examples
Low	Authentication is required to access the system, and theft, hacking, disclosure of confidential information will not have significant consequences	The minimum requirement is recommended - the use of reusable passwords	Registration on the Internet portal
Average	Authentication is required to access the system, and theft, hacking, disclosure of confidential information will cause little damage	The minimum requirement is recommended - the use of one-time passwords	The subject of banking operations
Tall	Authentication is required to access the system, and theft, hacking, disclosure of confidential information will cause significant damage	The minimum requirement is recommended - using multi-factor authentication	Conducting major interbank operations by the management apparatus

Two-Factor Authentication

Signing in to Google Account with Two-Factor Authentication

Two -factor authentication , also known as two-step verification , is a type of multi-factor authentication. DFA - is a technology that provides user identification using a combination of two different components.

An example of two-factor authentication is Google and Microsoft authorization. When a user logs in from a new device, in addition to password-based authentication, they are asked to enter a six-digit (Google) or eight-digit (Microsoft) verification code. The subscriber can receive it by SMS , using a voice call to his phone, a confirmation code can be taken from a pre-compiled register of one-time codes, or a new one-time password can be generated by the authenticator application for short periods of time . The choice of method is carried out in the settings of your Google or Microsoft account, respectively.

The advantage of two-factor authentication via a mobile device:

No additional tokens are needed, because the mobile device is always at hand.
The verification code is constantly changing, and this is safer than a one-factor login password

Disadvantages of two-factor authentication via a mobile device:

The mobile phone must catch the network when authentication occurs, otherwise the message with the password simply will not reach.
It is necessary to provide a mobile phone number, because of which, for example, spam may come in the future.
Text messages (SMS), which, arriving on a mobile phone, can be intercepted ^[1] ^[2] .
Text messages arrive with some delay, since authentication takes some time.
Modern smartphones are used both for receiving mail and for receiving SMS. As a rule, email on a mobile phone is always on. Thus, all accounts for which mail is the key can be hacked (the first factor). Mobile device (second factor). Conclusion: a smartphone mixes two factors into one.

Now many large services, such as Microsoft, Google, Yandex, Dropbox, Facebook, already provide the ability to use two-factor authentication. Moreover, for all of them, you can use a single authenticator application that meets certain standards, such as Google Authenticator, Microsoft Authentificator, Authy or FreeOTP.

Practical Implementation

Many products with multi-factor authentication function require client software from the user in order for the multi-factor authentication system to work. Some developers have created separate installation packages for network access, web access credentials, and VPN connections. To use a token or smart card with these products, you will need to install four or five special software packages on the PC. These can be packages that are used for version control or they can be packages for checking conflicts with business applications. If access can be made using web pages, then you can do without unforeseen expenses. With other software multi-factor authentication solutions, such as “virtual” tokens or some hardware tokens, no software can be installed directly by users.

Multi-factor authentication is not standardized. There are various forms of its implementation. Therefore, the problem lies in its ability to interact. There are many processes and aspects that need to be considered when choosing, developing, testing, implementing and supporting a holistic security identification management system, including all relevant authentication mechanisms and related technologies: all this was described by Brent Williams in the context of “Identity Lifecycle” [1]

Multi-factor authentication has a number of disadvantages that hinder its distribution. In particular, it is difficult for a person who does not understand this area to follow the development of hardware tokens or USB plugs. Many users cannot install certified client software on their own because they do not have the appropriate technical skills. In general, multifactor solutions require additional installation and maintenance costs. Many token-based hardware systems are patented, and some developers charge users a yearly fee. From a logistics point of view, placing hardware tokens is difficult, as they can be damaged or lost. Token issuance in such large areas as banks or other large enterprises should be regulated. In addition to the cost of installing multi-factor authentication, a significant amount is also the cost of maintenance. In 2008, Credit Union Journal , a major media resource, conducted a survey among more than 120 US credit unions. The purpose of the survey is to show the cost of maintenance associated with two-factor authentication. As a result, it turned out that software certification and access to the toolbar have the highest cost.

Notes

↑ NIST Prepares to Phase Out SMS-Based Login Security Codes. Time Is Running Out For This Popular Online Security Technique (Eng.) , Fortune (July 26, 2016). Date of contact August 13, 2016. ““ Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators, ”NIST.”
↑ Durov announced the involvement of special services in the hacking of Telegram opposition (Russian) . RosBusinessConsulting (May 2, 2016, 20:18). - “... on the night of Friday, the MTS technological security department turned off SMS delivery service for him (Oleg Kozlovsky), and then - after 15 minutes - someone from the Unix console using the IP address on one of the Tor anonymizer servers sent to Telegram Request for authorization of a new device with a Kozlovsky phone number. An SMS was sent to him with a code that was not delivered, because the service was disabled for him. Then the attacker entered the authorization code and gained access to the activist’s account in Telegram. “The main question is how the unknowns got access to the code, which was sent via SMS but not delivered. Unfortunately, I have only one version: through the SORM system or directly through the MTS technical security department (for example, by calling from the "competent authorities"), ”the activist emphasized.” Date of treatment May 11, 2017.

Links

Eric Grosse, Mayank Upadhyay, Authentication at Scale. IEEE Security and Privacy, January / February 2013 , IEEE Computer and Reliability Societies. (eng.)
DRAFT NIST Special Publication 800-63B. Digital Authentication Guideline. Authentication and Lifecycle Management // NIST, 2016

[fortune-nist-sms-intercept2016.2fa-1] NIST Prepares to Phase Out SMS-Based Login Security Codes. Time Is Running Out For This Popular Online Security Technique (Eng.) , Fortune (July 26, 2016). Date of contact August 13, 2016. ““ Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems should carefully consider alternative authenticators, ”NIST.”

[2] Durov announced the involvement of special services in the hacking of Telegram opposition (Russian) . RosBusinessConsulting (May 2, 2016, 20:18). - “... on the night of Friday, the MTS technological security department turned off SMS delivery service for him (Oleg Kozlovsky), and then - after 15 minutes - someone from the Unix console using the IP address on one of the Tor anonymizer servers sent to Telegram Request for authorization of a new device with a Kozlovsky phone number. An SMS was sent to him with a code that was not delivered, because the service was disabled for him. Then the attacker entered the authorization code and gained access to the activist’s account in Telegram. “The main question is how the unknowns got access to the code, which was sent via SMS but not delivered. Unfortunately, I have only one version: through the SORM system or directly through the MTS technical security department (for example, by calling from the "competent authorities"), ”the activist emphasized.” Date of treatment May 11, 2017.