Hi Security experts,
Need your opinion about an MFA debate...
We all know that MFA is more than 1 factor for authentication. The factors could be:
1. Sth you know (like a secret etc.)
2. Sth you have (like a token or mobile phone on which you receive a code)
3. Sth. you are (biometrics)
I seem to be unable to classify as MFA a scenario where one uses a username/password and receives a code on their email to log on to a system. I just dont see the "sth you have" component here - realizing that you do not need to have something to access your email as it is being a cloud service - in this case in order to access the system all you need is to know 2 things: 1) - your username/password and 2) - your email password to get the code - so no other component like something you have. I keep seeing this scenario classified as MFA authentication although there is no actually a different factor than the sth u know.
What do you think? That makes sense?
In the case where this code is sent to a phone, the phone is the something you have.
If it's being sent to an email address where it could only be collected from a specific device like a corporate laptop, then the laptop becomes the something you have.
If the email can be collected from any device with a web browser with no further unique identifying attributes required (e.g. a client side certificate used as the something you have) other than the email account credentials then strictly speaking that is not multi-factor authentication.
If the email credentials are the same as the first set of credentials then this is a largely pointless exercise!
However, I would say before writing this authentication system off for not being MFA, you need to look at its efficacy and understand how that compares to some true MFA systems, and then evaluate it against what you are trying to protect and from whom.
As we know, some forms of MFA are better than others. For example we know codes sent to phones via SMS can be hijacked. However, it takes some effort to hijack SMS codes, but we know that typically we're only looking to deter opportunists through the use of this MFA method rather than determined attackers who are specifically targeting us, hence it has been deemed good enough in the places it's been deployed.
Therefore, effectively having 2 sets of credentials required to access something (as long as they are different from each other) might be good enough based on what you're trying to protect and considering who you're trying to protect it from, even though it's not correct to call it MFA.
Yes, may providers either offer or require you to use an OTP, but --- the way I see it --- that doesn't count as MFA if the OTP gets sent to an email address, unless the email itself is only accessible on a specific device you have. (A hardware / software token, or OTP sent to a registered number would meet the requirements)
Then again, it's better than systems that simply accept a password. But like @AlecTrevelyan said, it's of no use if a person uses the same password for a service AND email address --- to analogize, it would be akin to lengthening a corridor rather than strengthening the door.
Ideally, authentication should depend on access requirements. For example, with most bank sites, you login with a set of credentials + an OTP that gets sent to your registered number (MFA), and once logged in, while you can avail of some services, others may require that you re-authenticate.
One of the banks I've got an account with takes it further, providing 2 passwords, with MFA. The 1st suffices for stuff like checking your balance and downloading statements, but to make transactions, modify contact info or change security settings, you have to use the 2nd password --- and should you forget that, a personal visit to the bank is needed.
Keep in mind that (in the USA) the use of SMS to deliver a one-time password/PIN has been depreciated. Yes, it's still used by some financial institutions, but the FFIEC has written:
"SMS technology presents a number of security-related risks. SMS messages typically are transmitted unencrypted over widely used telecommunications networks. The messages are also vulnerable to spoofing, which allows an unauthorized user to send an SMS message pretending to be from a different mobile number to mislead a customer into providing sensitive information to the unauthorized user. Similarly, fraudulent SMS messages may mislead customers into revealing financial institution account information or information used to access financial institution systems."
It depends who you ask. Sending an OTP or link to an email address isn't typically considered multifactor as you're relying on the email account being secure and due to password sharing between accounts it may not be. In any case you'll be reliant on two secrets and probably two passwords. The lack of static password in the body of the email may compensate to some degree for the using two secrets, but it could only be considered a compensating control if you were unable to implement true MFA.
SMS OTP is reliant on the something you have been the handset to which the OTP is sent. However there are vulnerabilities. An attacker could persuade your mobile carrier to port your number across to a handset that they control for example. Your also dependent on security at the carriers SMS switching centre etc.
Another common approach is the smartcard containing an SSH key or X.509 certificate assigned specifically to you or your end point. If attached to the endpoint it really authenticates the endpoit rather than the user of the end point. You may need both, but that depends on the problem you're trying to solve and the business context.
Either a physical MFA token i.e. RSA token, Gemalto token or a mobile app that generates a time base OTP is generally accepted as a more secure solution. These do rely on the party authenticating being in possession of the token and smartphone, so there is still user education about not leaving these exposed to thefts and reporting all losses or thefts promptly.
You may also wnat to consider attribute based approaches if you're looking to challenge an already logged in user, who behaviour is anomalous. This is based on attributes of the OS, browser, screen resolution, geo IP, mouse movement, clicks, keystroke rates etc. There can be many data points.
Thank you so much everyone for your opinions. I agree mostly with all of you.
OTP is no MFA (we are not debating if it is good or bad security practice)
having multiple things you know to authenticate is also no MFA @rslade .
I guess ... concept-wise i wanted to know whether 2 things you know fits for MFA but as i though - your opinions match mine - negative :).
Thanks everyone once again.