Multi-Factor Authentication (MFA) – Blog Series – Part #01
Passwords are often the only measure needed to access an important account or service. But this does not provide sufficient security. Recent statistics show that 65% of people still use the same password or a variation of a single password for many or all of their accounts and 45% do not change it even after a breach has occurred . It is therefore not surprising that over 70% of all breaches are caused by inadequate passwords, such as reused or weak passwords . Multi-factor authentication (MFA) is intended to mitigate these shortcomings.
What Is MFA and What Is It Used For?
When using multi-factor authentication (MFA) a user needs to provide at least two factors to authenticate to a service. These factors need to be from different classes of factors. In total there are three classes of factors:
- Knowledge: something the user knows, e.g., a password.
- Possession: something the user possesses, e.g., an email account, mobile phone, or a security token.
- Inherence: something biometrical, e.g., a fingerprint, voice or eye iris, or something behavioral, e.g., mouse movement patterns or keystroke dynamics.
The combination of different classes of factors is intended to mitigate possible deficiencies in a single factor. The great gain in security when using multiple factors from different classes can be illustrated, for example, by the combination of a password (knowledge factor) and a security token (possession factor) as the second factor. In this case, it is no longer sufficient for an attacker to find out the potentially weak password of a victim. In addition, the attacker needs physical access to the security token to access the victim’s account.
Which Possession Factors Are There?
In online authentication, passwords are usually the first and only factor required. To increase security, many websites now offer several second factors, which are usually possession factors. There are several common possession factors and often users can choose between two or more as an additional factor to a password or PIN code. In the following, we will briefly discuss the most common types and compare them in terms of security, usability, and privacy afterwards.
- Email: A (in the best case) randomly generated code is sent to the email address of the user. The user must enter the code during the authentication. Sometimes a link is sent instead. This link contains the code and must be invoked by the user.
- SMS: Similar to email, a (in the best case) randomly generated code is sent to the phone number of the user. The user must enter the code during the authentication.
- Push notification: The user must install an app on their device. The app sends push notifications which allow the user to confirm or reject authentication requests using two different buttons.
- TOTP (software/physical): An app or even a browser extension or a computer program generates a numerical code locally, which is valid for a short period of time (usually 30 seconds). For this generation, a shared secret is used. The service provider also possesses the secret and is able to generate the same code for verification. Instead of software for TOTP generation a hardware-based TOTP generator can also be used.
- FIDO2 (software/physical): In short, FIDO relies on asymmetric cryptography. A private key is generated locally for each service, from which a public key is derived and sent to the service. The local key generation and storage can be done by a FIDO2-compatible token (physical) or by the operating system itself (software). These tokens are usually USB devices, which can have integrated additional features, such as a fingerprint sensor or NFC.
Very Good: FIDO2 (software) and FIDO2 (physical) factors are based on the FIDO2 specifications . These consist of the two specifications Web Authentication (WebAuthn) and Client-to-Authenticator Protocol (CTAP). When creating these protocols, security was an important main point, which is also evident in practice.
Good: TOTP (software) and TOTP (physical) both have reasonably good phishing security due to the usually very short validity of the generated codes. However, a major disadvantage is that both the user and the service are in possession of the same shared secret. In case of a compromise of the shared secrets at the service provider, the attacker can use the shared secret himself in a TOTP app to generate valid codes and access the victim’s account.
Mediocre: Push notification has two serious disadvantages. On the one hand, it is possible that a user accidentally confirms (or rejects) a request, although they intended to click on the opposite action. Secondly, so-called “MFA fatigue” attacks have recently been responsible for several major breaches. In these attacks, a victim is spammed with push notifications until they confirm one out of fatigue, so that the notifications stop. One confirmed second factor request is sufficient for an attacker to access the victim’s account.
Bad: Both email and SMS have serious weaknesses. Both use an insecure transmission protocol that does not use end-to-end encryption (E2EE). This means that an attacker who is on the same network as the sender or the recipient can read the messages and thus obtain the code. Moreover, the messages may, for example, be stored by network logging and leaked from there. Furthermore, both are susceptible to the "use-after-free" problem. In other words, if a victim changes their cell phone number or email account, these are again freely available to others. An attacker can then use them to read the codes unless the victim has updated their mobile number or email address for the MFA. In the case of SMS, “SIM swapping” attacks are often used by attackers to get access to the victim’s SMS and the OTPs. Emails have the problem that often only a password is used to protect the email account itself.
|Phishing||Attacks From Afar||Leak by Service|
|TOTP (software)||Short validity of 30 seconds||Dependent on implementation, may have weaknesses||Shared secret|
|TOTP (physical)||Short validity of 30 seconds||Shared secret|
|PushTAN Apps||Misclick possible or spamming||Dependent on implementation, may have weaknesses||Dependent on implementation|
|Often has a long validity||“Use-after-Free”, email authentication often protected only by a password, weak transmission protocol, accessible by email provider||Code must be randomly generated|
|SMS||Often has a long validity||“Use-after-Free”, SIM-swapping, malicious apps, weak transmission protocol, accessible by mobile operator||Code must be randomly generated|
Very Good: FIDO2 (software), TOTP (software) and Email are all easy to use with no significant drawbacks.
Good: FIDO2 (physical) has the disadvantage that a physical token must be carried. The same applies to TOTP (physical) with the physical generator. However, it is possible to place different physical tokens at several locations. SMS has the usability problems that SMS reception is not available in all situations (e.g., inside of a building).
Mediocre: Push notifications have the problem that they can only be used for a single service. As a result, the number of necessary individual factors increases linearly with the number of services used. The fact that a new app has to be installed for every single service might be a barrier for users. Furthermore, there is a risk that a request is either accepted or rejected by mistake, although the user intended to execute the opposite action.
|Support for multiple services||Usage||Initial Cost|
|FIDO2 (physical)||Yes||Physical token must be carried along||One or few token|
|TOTP (physical)||Yes||Physical generator must be carried along||One or few generators|
|PushTAN Apps||No, one per service||New app must be installed for each service, misclicks are possible||None|
|SMS||Yes||Mobile reception not always given (e.g., inside buildings)||None|
Very Good: FIDO2 (software), FIDO2 (physical), TOTP (software), and TOTP (physical) all do not disclose any information about the user to the service or third parties.
Good: Push notifications are usually proprietary apps installed on the user’s personal device and often contain extensive tracking options, which, for example, achieve identification via the device identification number.
Mediocre: Both email and SMS have the problem that they use a potentially insecure protocol for data transmission. Likewise, both email addresses and phone numbers are linkable across services. The email provider, mobile operator, and SMS provider of the service can see which services the user is using with SMS or email MFA.
|FIDO2 (software)||Public key differs from service to service to which user logs in|
|FIDO2 (physical)||Public key differs from service to service to which user logs in|
|TOTP (software)||Many open source TOTP apps, no internet connection required, service only receives TOTP|
|TOTP (physical)||No internet connection required, service only receives TOTP|
|PushTAN Apps||Often proprietary with extensive tracking options|
|Linkability, login metadata (time, service) visible for email provider|
|SMS||Linkability, telephone number disclosure, login metadata (time, service) visible for mobile operator|
When the most common possession factors are compared in terms of security, usability, and privacy, there are factors that are clearly superior to the others. FIDO2-based and TOTP-based factors can be recommended almost without reservation, while email, SMS, and Push notification have several weaknesses. Of course, there can be various subjective criteria as to which factor is the “best”. Since FIDO2 could achieve the highest score in our comparison and an increasing number of services support it, we will go into more detail on FIDO2 in a future blog post.
Overall comparison of the most common possession factors. (Figure 1)
Our Experts Develop the Optimal Solution for You
Authentication – FIDO2 – Single Sign-On
Are you faced with the decision of how to best implement authentication? Or are you already using OAuth and wondering if your implementation is secure?
We will be glad to advise you; contact us for a no-obligation initial consultation. Thus, we are at your side with the following services and solutions:
Threat Analysis | Training | Penetration Tests
Don't hesitate and find your way to secure authentication with us. We look forward to supporting you with your projects.
Your Contact for Authentication and Single Sign-On
Dr. Christian Mainka