cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
pop
Newcomer I

another (perhaps easier) factor for MFA

Multi-factor authentication (MFA) is much stronger than simple passwords, and so now I was wondering how to add a geographical component as yet another factor. Yes, cloud based systems make this a little harder, but the AWS and Azure servers are in a limited set of locations, but perhaps I want to limit any personal banking or emailing from my home town. If I am travelling, then I will set up a temporary account that will be used for that with less stringent checking.

 

Personally I have a static IP address at my house, so I should be able to really lock it down with this if warranted.

 

In weighting the ease of use vs. protection, is this worth pursuing?

 

7 Replies
Loki
Viewer

That works as long as the attack is not coming from inside the house. It would be better to have the factors more robustly separated.

scmunk
Newcomer II

I would at least take a look at the MS Authenticator app. It has several options and has the ability to keep multiple accounts. It also integrates with your phones security mechanisms.

 

Ron Parker CISSP, CCSP

SCMunk

mspinrad
Viewer

In general we should be thinking about deploying Attribute Based Access Control (ABAC) which could include (typically) location, time of day and other attributes such as connection and device type. But is it really MFA if we don't include something about what you have or what you are in addition to password and other 'computer based' attributes'?

scmunk
Newcomer II

We can't confuse assurance factors with factors used in authentication.

 

Location, browser, configuration, device type, and OS can all be used as factors to help determine the level of assurance during authentication. These can't be used as authentication factors. You also need to have different types of factors. in other words it doesn't add much value to have memorized three passwords, or a password and two pins. All of those count as something you know.

 

Assurance factors help us determine the level of certainty we have in the authentication being performed. If the assurance factors are all the same and the entity has supplied the proper credentials again it helps us say we are more certain this entity is who they say they are. 

 

That is why I mentioned the authenticator app. It requires you to have a registered phone and it uses a specialized application to transfer the authentication requests. It is an actual authentication factor.

 

So for multi-factor we are looking for something you know, have, or are. Having multiples of the same type can only increase assurance but it can't increase authenticity.

 

Ron Parker CISSP, CCSP

SCMunk

pop
Newcomer I

Here are the three present factors:

  • (1) Something you know.
  • (2) Something you have
  • (3) Something you are

 

I am just suggesting to augment this with the orthogonal vector:

  • Somewhere you are.

 

It is not impossible, but not likely that I will get hacked from inside my LAN.  While spoofing can occur, it seems to be another layer of security against that multi-layer knife the hackers are using.

 

 

TonyDS
Newcomer II

I see that both Device and Location in use by LastPass as "2nd Factors".

 

When I log in from a new device in my home town, or if I take my laptop abroad, I get the message..

 

"Someone, hopefully you, recently tried to login to your LastPass account from a device or location that we dont recognize."

 

I then have to verify the access request via via e-mail.

 

Location is easy to modify by using a VPN that I cannot consider it a serious 2nd factor on its own.

 

Device identification, (via a cookie, downloaded token, authentcator app), seems more solid though.

 

However, in this example, unless you have 2FA for your e-mail account, you're back to square one!

 

 

 

Afpjr
Viewer II

IP-based restrictions should not be considered another factor, imho, as anyone can have them (including spoofing scenarios), everyone knows them, and nobody is one. 🙂

Check out the promising “Pixie” concept here: https://arxiv.org/pdf/1710.07727.pdf

Not commercially ready for prime time, but now that mobile cameras are ubiquitous, I believe it could gain traction fast.

—Andy Powell, CISSP