Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
pop
Newcomer I
‎10-30-2017 01:41 PM
‎10-30-2017 01:41 PM

another (perhaps easier) factor for MFA

Multi-factor authentication (MFA) is much stronger than simple passwords, and so now I was wondering how to add a geographical component as yet another factor. Yes, cloud based systems make this a little harder, but the AWS and Azure servers are in a limited set of locations, but perhaps I want to limit any personal banking or emailing from my home town. If I am travelling, then I will set up a temporary account that will be used for that with less stringent checking.

 

Personally I have a static IP address at my house, so I should be able to really lock it down with this if warranted.

 

In weighting the ease of use vs. protection, is this worth pursuing?

 

Reply
0 Kudos
7 Replies
Loki
Viewer
‎10-30-2017 02:23 PM
‎10-30-2017 02:23 PM

That works as long as the attack is not coming from inside the house. It would be better to have the factors more robustly separated.

Reply
0 Kudos
scmunk
Newcomer II
‎10-30-2017 02:41 PM
‎10-30-2017 02:41 PM

I would at least take a look at the MS Authenticator app. It has several options and has the ability to keep multiple accounts. It also integrates with your phones security mechanisms.

 

Ron Parker CISSP, CCSP

SCMunk

Reply
0 Kudos
mspinrad
Viewer
‎10-30-2017 02:49 PM
‎10-30-2017 02:49 PM

In general we should be thinking about deploying Attribute Based Access Control (ABAC) which could include (typically) location, time of day and other attributes such as connection and device type. But is it really MFA if we don't include something about what you have or what you are in addition to password and other 'computer based' attributes'?

Reply
0 Kudos
scmunk
Newcomer II
‎10-30-2017 03:00 PM
‎10-30-2017 03:00 PM

We can't confuse assurance factors with factors used in authentication.

 

Location, browser, configuration, device type, and OS can all be used as factors to help determine the level of assurance during authentication. These can't be used as authentication factors. You also need to have different types of factors. in other words it doesn't add much value to have memorized three passwords, or a password and two pins. All of those count as something you know.

 

Assurance factors help us determine the level of certainty we have in the authentication being performed. If the assurance factors are all the same and the entity has supplied the proper credentials again it helps us say we are more certain this entity is who they say they are. 

 

That is why I mentioned the authenticator app. It requires you to have a registered phone and it uses a specialized application to transfer the authentication requests. It is an actual authentication factor.

 

So for multi-factor we are looking for something you know, have, or are. Having multiples of the same type can only increase assurance but it can't increase authenticity.

 

Ron Parker CISSP, CCSP

SCMunk

Reply
pop
Newcomer I
‎10-30-2017 03:42 PM
‎10-30-2017 03:42 PM

Here are the three present factors:

  • (1) Something you know.
  • (2) Something you have
  • (3) Something you are

 

I am just suggesting to augment this with the orthogonal vector:

  • Somewhere you are.

 

It is not impossible, but not likely that I will get hacked from inside my LAN.  While spoofing can occur, it seems to be another layer of security against that multi-layer knife the hackers are using.

 

 

Reply
0 Kudos
TonyDS
Newcomer II
‎10-30-2017 04:40 PM
‎10-30-2017 04:40 PM

I see that both Device and Location in use by LastPass as "2nd Factors".

 

When I log in from a new device in my home town, or if I take my laptop abroad, I get the message..

 

"Someone, hopefully you, recently tried to login to your LastPass account from a device or location that we dont recognize."

 

I then have to verify the access request via via e-mail.

 

Location is easy to modify by using a VPN that I cannot consider it a serious 2nd factor on its own.

 

Device identification, (via a cookie, downloaded token, authentcator app), seems more solid though.

 

However, in this example, unless you have 2FA for your e-mail account, you're back to square one!

 

 

 

Reply
0 Kudos
Afpjr
Viewer II
‎10-30-2017 10:16 PM
‎10-30-2017 10:16 PM

IP-based restrictions should not be considered another factor, imho, as anyone can have them (including spoofing scenarios), everyone knows them, and nobody is one. 🙂

Check out the promising “Pixie” concept here: https://arxiv.org/pdf/1710.07727.pdf

Not commercially ready for prime time, but now that mobile cameras are ubiquitous, I believe it could gain traction fast.

—Andy Powell, CISSP
Reply
0 Kudos