2FA

Published

February 5, 2024

Previously

  • Passwords

Today

  • 2FA

Passwords

Why are passwords hard?

  • Passwords are required to be random
    • Humans can’t choose random things
  • Passwords are required to be long and complex
    • Humans can’t remember long and complex things
  • Passwords are supposed to be kept secret
    • Humans are bad at storing sensitive information
  • Passwords must to be stored securely by the service
    • Companies are also bad at storing sensitive information

Why do we still have passwords?

  • Historically established, familiar
  • Easy to explain
  • Easy to replace
  • Easy to share
  • Easy to implement
    • Provider-independent

What could we use instead of passwords?

  • biometrics
  • passkeys
  • graphical passwords
  • OTP / verification codes
    • phone
    • email
    • app
  • push

Password replacement proposals

  • Graphical
  • Cognitive
  • Visual cryptography

Authentication strategies

  • Something you know
  • Something you have
  • Something you are

Authentication examples

  • Something you know
    • Passwords, secret questions
  • Something you have
    • Smart cards, hardware tokens, passkeys
  • Something you are
    • Biometrics

Multifactor authentication

  • Combine multiple (less-secure) implementations
  • Defense in depth

MFA downside

  • Multiple authenticators take longer
  • ⇒ Risk based authentication

MFA strategies

  • Something you know
    • Secret questions
  • Something you have
    • SMS, app, hardware tokens, FIDO authenticator
  • Something you are
    • Biometrics

Summarizing pros and cons of authenticators

SMS

+

  • easy to use
  • low implementation cost
    • *may be challenges and costs

  • out of cell service
  • social engineering (smishing)
  • phone numbers can be hijacked
    • socially
    • technically
  • messages not encrypted in transit

TOTP

+

  • generated on-device
    • can’t be hijacked in transit
      • more secure
    • works offline
  • shorter lifespan

  • there’s a setup phase
  • issues due to synchronizing time
  • need the device, need the app
    • => if you lose it, you’re hosed

Codes

+

  • longer so harder to brute force
  • hashable => more secure

  • user is responsible for storing backup codes
  • long-lived, so potentially brute-forceable

Push

+

  • limited chance of user error
  • low learning curve
  • faster => more usable
  • keys hidden from user

  • need to have device
  • need secure connection
  • push implementations are proprietary

U2F security keys

+