Feb 1 2024

Not all MFA is the same

The NIST 800-53 guideline [1] defines multi-factor authentication (MFA) as:

Multi-factor authentication requires the use of two or more different factors to achieve authentication. The authentication actors are defined as follows: something you know (e.g., a personal identification number [PIN]), something you have (e.g., a physical authentication such as a cryptographic private key), or something you are (e.g., a bio-metric).

Sites seem to be scrambling to implement MFA schemes. I suspect it is because the average user is bad at using a password that is both sufficiently complex and unique to the site. As such, credential stuffing attacks [2] are rampant and sadly effective, varying from a nuisance to large-scale breaches” such as those seen with 23andme.com [3].

It’s nice to see site owners adding, or even requiring, users to add MFA to their secure their accounts, but not all MFA schemes have the same level of effectiveness.

Bad

Two examples of bad anti-patterns I’ve seen are:

  1. A bank asking for a username and password, then asking a question like what’s the model of your first car” and calling that a second factor of authentication. While they did ask a second authentication prompt, it’s not an additional authentication factor. The additional authentication prompt must address an additional authentication factor than the other prompt. So if the first prompt is for something you know (a password) the second must be either something you have (a mobile device, a hardware key, etc.) or something you are (FaceID, fingerprint, etc.)
  2. This one is a little more subtle - an online store asked for a username and password, then asked me for a code that it sent to my email. One interpretation is that the code sent to the email is something I have,” because the mechanism is verifying the possession and control of an email account and therefore is an additional factor of authentication. However, I would argue that an email account is not an additional factor of authentication because that same email account is the reset mechanism for the password for the website. Therefore if the user’s email is compromised, the whole system is moot because the second factor of authentication is sent to the same compromised channel. This situation is better than no additional verification (no code sent to email), because it prevents a basic credential stuffing attack, but would not prevent account compromise due to a stolen computer or phone. So it may or may not technically be a second factor,” but no matter what you believe, it’s an inferior choice, from a security perspective.

Better

These options are alright. Certain attacks like SIM swapping [4] and MFA fatigue attacks [5] can pose a risk.

  1. Push notification - it’s fine, but if the app that’s emitting the notification isn’t locked down then it’s only marginally better than an SMS code.
  2. SMS code - yes I know it’s not great, but still better than the examples in the previous section.

Best

These options are mostly phishing resistant and completely MFA fatigue attack resistant.

  1. A hardware token, like a Yubikey [6].
  2. A bio-metric like FaceID [7].
  3. A rotating TOTP code [8].
  1. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
  2. https://owasp.org/www-community/attacks/Credential_stuffing
  3. https://techcrunch.com/2023/12/04/23andme-confirms-hackers-stole-ancestry-data-on-6-9-million-users/
  4. https://en.wikipedia.org/wiki/SIM_swap_scam
  5. https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favorite-tactic-in-high-profile-breaches/
  6. https://www.yubico.com/
  7. https://support.apple.com/en-us/HT208109
  8. https://www.twilio.com/docs/glossary/totp