2FA
Previously
- Passwords
Today
- 2FA
Passwords
Why are passwords hard?
- Passwords are required to be random
- Humans can’t choose random things
- Passwords are required to be long and complex
- Humans can’t remember long and complex things
- Passwords are supposed to be kept secret
- Humans are bad at storing sensitive information
- Passwords must to be stored securely by the service
- Companies are also bad at storing sensitive information
Why do we still have passwords?
- Historically established, familiar
- Easy to explain
- Easy to replace
- Easy to share
- Easy to implement
- Provider-independent
What could we use instead of passwords?
- biometrics
- passkeys
- graphical passwords
- OTP / verification codes
- phone
- app
- push
Password replacement proposals
- Graphical
- Cognitive
- Visual cryptography
Authentication strategies
- Something you know
- Something you have
- Something you are
Authentication examples
- Something you know
- Passwords, secret questions
- Something you have
- Smart cards, hardware tokens, passkeys
- Something you are
- Biometrics
Multifactor authentication
- Combine multiple (less-secure) implementations
- Defense in depth
MFA downside
- Multiple authenticators take longer
- ⇒ Risk based authentication
MFA strategies
- Something you know
- Secret questions
- Something you have
- SMS, app, hardware tokens, FIDO authenticator
- Something you are
- Biometrics
Summarizing pros and cons of authenticators
SMS
+
- easy to use
- low implementation cost
- *may be challenges and costs
–
- out of cell service
- social engineering (smishing)
- phone numbers can be hijacked
- socially
- technically
- messages not encrypted in transit
TOTP
+
- generated on-device
- can’t be hijacked in transit
- more secure
- works offline
- can’t be hijacked in transit
- shorter lifespan
–
- there’s a setup phase
- issues due to synchronizing time
- need the device, need the app
- => if you lose it, you’re hosed
Codes
+
- longer so harder to brute force
- hashable => more secure
–
- user is responsible for storing backup codes
- long-lived, so potentially brute-forceable
Push
+
- limited chance of user error
- low learning curve
- faster => more usable
- keys hidden from user
–
- need to have device
- need secure connection
- push implementations are proprietary
U2F security keys
+
- ✐
–
- ✐