Security notes / Multi-Factor Authentication: Difference between revisions
Jump to navigation
Jump to search
m (Removed redirect to Multi-Factor Authentication) Tag: Removed redirect |
mNo edit summary |
||
| Line 1: | Line 1: | ||
{{SecurityRelated}} | {{SecurityRelated}} | ||
===On multi-factor authentication=== | |||
{{stub}} | |||
<!-- | |||
In a nutshell, MFA means you need more than one thing to get you in. | |||
: If something found out your password, it doesn't get them in. | |||
: If someone stole your bank-issued gadget, it doesn't get them in. | |||
If you need both that bank gadget and a PIN only you know? | |||
It becomes very easy to lock someone out of a bank. | |||
If you need both the password and clicking okay on your phone? | |||
It becomes very easy to prevent online brute force attacks. | |||
Security nerds can get very technical about | |||
how to organize it, | |||
how to actually implement that, | |||
how to ensure fewer points of potential snooping, | |||
and much more. | |||
And yes, it still needs to be done right. | |||
But frankly, most of these details don't matter to everyday users. | |||
Using 2FA at all goes a long way, to making the more important things harder to get into. | |||
MFA is usually 2FA, because two different things is usually good enough, | |||
and more quickly gets ''very'' tedious, which means people won't want to use it at all. | |||
So in a ''lot'' of situations, you can read MFA as 2FA. | |||
"Wait, doesn't that mean "reset password via mail' defeats 2FA?" | |||
If your mail is not 2FA protected itself? | |||
Yes, in the sense that it is the most fragile part of your personal security, | |||
and since this is where we are moving, your email address may be the most important thing to 2FA ''first''. | |||
'''More technically put''' | |||
'''Multi-factor authentication''' (MFA) a.k.a. '''N-factor authentication''' | |||
means you need to provide multiple things as proof of identity. | |||
Typically meaning 2-factor (a.k.a. 2FA) because more than two is tedious. | |||
Two factors then are usually "something you have, and something you know", | |||
because for most uses, that's strong enough, and more is deemed too much bother for too little extra security. | |||
A '''"something you know"''' is often a password. | |||
Upsides: | |||
: cannot be given without you knowing - just not telling it to other people goes a long way | |||
However, downsides include | |||
: brute-forceability | |||
: someone can duplicate by overhearing it - it is reusable indefinitely (no [[forward security]]) | |||
: that you cannot easily know it has been compromised | |||
: [http://news.bbc.co.uk/2/hi/technology/3639679.stm easily be traded for chocolate]). | |||
A '''"something you have"''' has more varied forms, including | |||
* a [[smart card]] (often to contain a key) | |||
* your phone ('type the code we're about to SMS to you') | |||
* your private key (e.g. in SSH) | |||
* online banking systems - details vary, but many involve a physical thing | |||
Upsides: | |||
* requires more effort to steal - if someone has to physically travel to where you are, that removes all 'random attempts on the internet' worries. Someone would have to specifically targeting you, ''and'' be interested enough to put in the effort. | |||
* optionally, it is also noticeable - if someone has to e.g. steal a hardware token, you will notice the next time you try to use it | |||
and can take appropriate action. | |||
Downsides: | |||
* you may not notice it being stolen for some time while | |||
* doesn't protect against physical attacks | |||
Part of the point is that one factor reduces the downsides of the others. For example, | |||
* a 'something you have' factor means someone cannot start brute forcing a password without having that thing. | |||
* a 'something you have' factor means overhearing the password doesn't get you in | |||
2-factor auth is often explained in response against passwords. | |||
You can argue against passwords, for example that: | |||
* if password guessing gets easier and faster, we have to choose ever more complex passwords - this is impractical | |||
* password guessing on password hashes has gotten easier as computers have gotten faster | |||
* password guessing is sometimes easy on networked systems since you can do so without much limit (things like exponential backoff are pretty effective, but not always implemented, per-user means you may lock the user out, per-IP means that distributed attacks can get a whole bunch of attempts) | |||
Upsides: | |||
* a weak password in a two-factor system is less of a problem, in that an attacker needs the other factors, and often needs them ''first''. | |||
* weakness in one factor (e.g. even a password on a sticky note) is less serious when you keep the factors separated | |||
: ...though the sticky note basically removes a factor. | |||
Downsides: | |||
* can be a lot of bother to use | |||
: What you may well ''expect'' of your banking system would be a pain for your laptop. | |||
* may give a false sense of security | |||
** not all systems we well designed (e.g. against man-in-the-middling) | |||
** weakness in one factor can effectively remove a factor | |||
Depends: | |||
* should implement revocation, in response to theft of the thing you have | |||
'''On "something your computer knows"''' | |||
So, critically speaking, that's not strictly either. | |||
I may know the passwords too, but the point was always that they were in my head ''only''. | |||
Meaning, among other things, that they cannot be extracted without me knowing. | |||
If my browser knows my passwords, that is no longer true. | |||
Because anyone who sits down can use everything, without having to know everything. | |||
That is technically still something I have, in that only someone sitting in my chair gets this. | |||
But this is effectively one-factor, where (when syncing) some cases of having any one of my devices is enough. | |||
If my phone syncs my browser passwords, and a website does 2FA with my phone, then my phone is both of these two factors, which defeats the point. | |||
A good and separate password manager is at least in theory something that ''acts'' as if it is separated (like a smart card), | |||
in that when locked, it is encrpyted data that is meaningless without an external factor (master password, or authenticator). | |||
Browser auth tends not to do this. It works as long as it's running, which is always. | |||
'''On biometrics''' | |||
Even without addressing the ability to fake, most biometrics are, in isolation, not unique distinguishing enough. | |||
As such, they cannot be proof of identity, i.e. they cannot be authentication. | |||
They may well be useful as an added factor, ''not'' because it's identifying, | |||
but because it's useful to filter attempts, and may act as a deterrent. | |||
--> | |||
Revision as of 18:18, 27 February 2024
| Security related stuff.
Securing services
Unsorted - · Anonymization notes · website security notes · integrated security hardware · Glossary · unsorted |
On multi-factor authentication
✎ This article/section is a stub — some half-sorted notes, not necessarily checked, not necessarily correct. Feel free to ignore, or tell me about it.