Multi-Factor Fail - 3 Factors of Fail (part 6)

from: brainyquote.com

   In December I was at the NG Security Conference in Austin, TX.  We had a fantastic discussion with a group of key security leaders focusing on this "quote" and how it applies to information security.  I say "quote" because there is some question as to who said this or if anyone actually did!

   As I've been saying throughout this series of posts, it seems that this statement is exactly what we are doing in the world of authentication!  None of the typical factors of authentication have really solved our authentication and access problems, yet we continue to use the same mechanisms over again.

from: brainyquote.com

   So that brings us to Multi-Factor authentication, a.k.a MFA, 2-factor, etc.  If our basic, individual authentication methods have problem, perhaps we can just stack some of them together to see if that helps.  But we still haven't solved any of the basic deficiencies we've been discussing.  So, to put it bluntly:

problems + problems = problems

   For example, classic 2-factor authentication combines a password, something you know, with a fob or token, something you have.  The user first enters their userid and password then, if those are correct, they are prompted to type in the time- or sequence-dependent PIN from their token.  The idea is fine... if someone steals the password, they can't get in without the token.  If the token is lost, it can't be used on its own.

    There's just one problem here (well, there are a bunch of problems, but one cause for the problems)... this system needs to be used by a person.  Many users will store their token with the system with which its used, i.e. in their laptop bag or on their desk.  Yes, some people do put their fob on their badge lanyard (badges, we don't need no steenkin' badges!), but I've seen plenty of badges left on desks or put in laptop bags as well!  Some people consider the "safety" of use of the fob as permission to choose a weak password.  Yes, you can put policies in to prevent that, but then the password will be written down and stored... in the laptop bag.

from: quotationsbook.com

   We can even complicate the process by using 3-factor authentication, adding some biometric measure into the mix.

   Now, there are some advantages.  The fob, the thing you have, provides an authentication string and is one less thing to memorize.  The combining of authentication factors does, at least theoretically, strengthen the overall authentication process.  But it's important to recognize that all the deficiencies we've discussed are still there.  MFA is no panacea!

   The key here is to use the right tools for the job.  Know your user and know your use case.  I'll expand on that next time.