Good day all,
I have a question and I'm seeking expert advice. My company operates a B2B website with our clients connecting to us via private networks. We have no public internet exposure. Since we opened our doors we have been authenticating users in two ways: username/password and also via an IP check. So the user can know the username/password, but if they are trying to login from an IP that is not attached to their account, they get denied. We have always considered this dual factor authentication, which is a stretch of the actual definition.
There is now an effort underway to do away with IP checking but still keep dual factor authentication. The suggestion is to do something like a bank does where you login with your username/password and then your back sends you either an email or test message with a code than you have to enter in order to access your account.
Question: Is that considered two factor authentication?
Second part: The business also wants to adopt this model for authenticating users: The first time you reach our site you will have enter your username and password, and then receive your text message/email with your code. Once logged in, we want to store a cookie in your browser that we can check so the next time you visit our site, we recognize you and all you have to do is enter your username/password.
Question number 2: If we implement that technology can we consider recognizing our own cookie as a legitimate authentication factor?
Thanks in advance!
- Mike R
Great question! The traditional definition of a factor is something you know, something you have, or someone you are. Network authentication is a useful tool, and adaptive MFA is also useful for improving the user acceptance when certain client thumbprints are unchanged. For an authoratative answer on that, you have choices.
NIST
https://pages.nist.gov/800-63-3/
FFIEC
https://www.ffiec.gov/pdf/authentication_faq.pdf
PCI
https://www.pcisecuritystandards.org/pdfs/Multi-Factor-Authentication-Guidance-v1.pdf
EBA / ECB
Now if you're asking for whether a particular tradeoff decision is sufficient to mitigate risk, or minimize residual risk, that's an expert assessment based upon risk and anticipated threats, rather than assessment for conformance. Jae-Jung Kim and Seng-Phil Hong put together an interesting paper on that:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.454.7936&rep=rep1&type=pdf
A little bit more plain english answer is from a slide deck David Walker et al put together for Internet2:
https://meetings.internet2.edu/media/medialibrary/2014/04/16/20140408-walker-multifactorauth.pdf
Hope that gets you closer to your answer.
Hi Mike,
I would absolutely agree that IP checking is an insufficient compensating control for authentication attacks. IP address spoofing has long been in the toolkit of, even the least capable, threat actors.
"Is this really multi-factor authentication?" is a very important question. It will become more important, in the future, for compliance purposes. The reason is simple. Up until now, frameworks and regulation authorities have been a little "vague" about what exactly constitutes MFA.
However, frameworks and regulators will start getting more stringent with the definition of what "compliance" will involve. i.e. 2 factor vs 1.5 factor approach.
1.5 factor is a term that has been coined for authentication mechanisms that do not compliment each other from a security standpoint. Normally, this means that they are too similar or might be vulnerable to the same type of attack.
B2B organisations often approach your problem with something you haven't mentioned in your post. SAML. This is a great approach to for secure web-based authentication. However, it does assume that all of your business partners also have SAML capabilities. That may not be the case; particularly for small businesses and those with a modest IT budget or limited in-house technical expertise.
If your use case dictates that you go with the traditional MFA authentication model... then I would recommend that you consider balancing the following;
- favourable user experience
- 2 mutually exclusive factors out of something you have/are/know
- total cost of ownership
- difficulty of maintenance
- capabilities of partner organisations
This should ensure that you achieve effective security and operational efficiency.
Finally, on to your question about cookies. I believe this would be an inherently flawed approach. I would argue that cookies would not constitute an authentication factor at all. However, if we ignore this fact then both passwords and cookies would still be too similar to provide effective security.
By that, I mean that they are both essentially browser state data and therefore would provide 1.5 factor authentication at best.
I hope this info helps you to make an informed decision.
Regards,
Stephen
Hi,
A small addition to all the great responses already given.
When selecting a second-factor method, using Time-based one-time passwords (TOTP) should be preferable over email or SMS as TOTP is more secure. However, ease of use will depend on the user’s access to a Smart device with an Authenticator App like Google Authenticator or LastPass Authenticator etc. installed.
DALX makes a couple of great points. TOTP is more secure, because OTPs change at regular intervals, than HOTP. Also, for those bound by regulatory standards it should be noted that SMS is becoming less favoured. In future it is likely that many regulators, and standards bodies, will recommend deprecating the use of SMS as an authentication factor. This is because calls and SMS messages are all too easily intercepted.