What does MFA mean? Jeffrey Goldberg jeff@1Password.com What does - - PowerPoint PPT Presentation

what does mfa mean
SMART_READER_LITE
LIVE PREVIEW

What does MFA mean? Jeffrey Goldberg jeff@1Password.com What does - - PowerPoint PPT Presentation

Aug 18, 2023 31 likes •477 views

What does MFA mean? Jeffrey Goldberg jeff@1Password.com What does MFA mean? It means multi-factor authentication. In certain cases it is called 2FA for two-factor authentication. Jeffrey Goldberg What does MFA mean?

slide-1
SLIDE 1
slide-2
SLIDE 2

What does “MFA” mean?

Jeffrey Goldberg

jeff@1Password.com

slide-3
SLIDE 3

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

It means multi-factor authentication. In certain cases it is called “2FA” for two-factor authentication.

What does “MFA” mean?

slide-4
SLIDE 4

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

  • 1. For ordinary users?
  • 2. For knowledgeable users?
  • 3. In terms of the actual security properties it offers?

What does it mean …

slide-5
SLIDE 5

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

What do you believe?

slide-6
SLIDE 6

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

What do you believe?

1.Does MFA mean that you need all factors to authenticate?

slide-7
SLIDE 7

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

What do you believe?

1.Does MFA mean that you need all factors to authenticate? 2.Does MFA help protect you if your computer is compromised?

slide-8
SLIDE 8

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

What do you believe?

1.Does MFA mean that you need all factors to authenticate? 2.Does MFA help protect you if your computer is compromised? 3.Does MFA protect you if the server is compromised?

slide-9
SLIDE 9

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

What do you believe?

1.Does MFA mean that you need all factors to authenticate? 2.Does MFA help protect you if your computer is compromised? 3.Does MFA protect you if the server is compromised? 4.Does MFA make make it safe to reuse passwords?

slide-10
SLIDE 10

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

What do you believe?

1.Does MFA mean that you need all factors to authenticate? 2.Does MFA help protect you if your computer is compromised? 3.Does MFA protect you if the server is compromised? 4.Does MFA make make it safe to reuse passwords? 5.Does having a second factor help you if you need to reset a forgotten password?

slide-11
SLIDE 11

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

Mind the gaps

  • 1. ∃ gaps twixt ordinary user understandings and

actual security properties of MFA

  • 2. ∃ gaps twixt expert user understandings and

actual security properties of MFA

  • 3. These gaps can lead to dangerous behavior

Claims

slide-12
SLIDE 12

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

Evidence for claims

slide-13
SLIDE 13

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

Evidence for claims

  • Anecdotes
slide-14
SLIDE 14

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

Evidence for claims

  • Anecdotes
  • Hearsay
slide-15
SLIDE 15

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

Evidence for claims

  • Anecdotes
  • Hearsay
  • Divine revelation?
slide-16
SLIDE 16

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

Evidence for claims

  • Anecdotes
  • Hearsay
  • Divine revelation?

“Anecdote” is the singular of “data”, right?

slide-17
SLIDE 17
slide-18
SLIDE 18
slide-19
SLIDE 19
slide-20
SLIDE 20

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

Authentication

Authentication is the process of proving
 that you are who you say you are.*

You provide your proof to a verifier, who
 either accepts it or rejects it. If V accepts it,
 they will grant you access to something.

*“Who you say you are” may mean the owner of some
 anonymous account. It doesn’t have to be a legal identity.

slide-21
SLIDE 21

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

Classic Authentication

slide-22
SLIDE 22

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

Classic Authentication

V asks P for her username

slide-23
SLIDE 23

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

Classic Authentication

V asks P for her username P tells V her username

slide-24
SLIDE 24

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

Classic Authentication

V asks P for her username P tells V her username V checks that there is such a
 username

slide-25
SLIDE 25

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

Classic Authentication

V asks P for her username P tells V her username V checks that there is such a
 username V asks P for her password

slide-26
SLIDE 26

What does “MFA” mean? Jeffrey Goldberg jeff@1Password.com

Classic Authentication

V asks P for her username P tells V her username V checks that there is such a
 username V asks P for her password P tells V her password. V checks that P provided V verifies that the password is
 correct and grants her access if it is

slide-27
SLIDE 27

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

Classic problems

  • V learns P’s secret
  • Eavesdroppers learn P’s secret
  • P’s secret is guessable
  • P never learns if V is really V
  • P’s secret, if captured, can be used to enter

this castle

  • P’s secret, if captured, might be usable at
  • ther castles
slide-28
SLIDE 28

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

Modern password problems

  • What V stores may be used for cracking
  • P is not informed when some tries to

enter the castle using her name

  • P’s password is the only thing required to

gain entry

slide-29
SLIDE 29

Security properties

slide-30
SLIDE 30

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

Useful security properties

  • P proves identity to V
  • V proves identity to P
  • No-one learns any secrets during authentication
  • Big H: Long term secrets are unguessable
  • Long term secrets are unique
  • What V stores long term is not usable for

guessing P’s long term secret.

  • More than one kind of secret required
slide-31
SLIDE 31

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

Useful properties (continued)

  • P is made aware of any attempts to use her

name

  • If P loses or forgets one of her long term

secrets, she can get it reset using the one that she maintains

slide-32
SLIDE 32

Non-Authentication security properties

Some security properties have little to do with authentication.

slide-33
SLIDE 33

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

Once more into the breach!

Penelope’s precious stuff, stored within the castle, is kept safe from

  • A breach in the walls
  • Dragons flying over the wall
  • Treachery from within the walls
slide-34
SLIDE 34

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

Bewitched

Penelope’s precious stuff, stored within the castle, is kept safe even if … Penelope is bewitched so that she is under the control of an evil wizard after she enters the castle

slide-35
SLIDE 35

Major misunderstanding

slide-36
SLIDE 36

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

Forgetting the auth

With (proper) MFA the authentication process remains secure as long as at least

  • ne factor remains secure.
slide-37
SLIDE 37

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

“A keylogger on my device”

“With the speed zero day malware are created these days and with the tools and the many advanced techniques they have available, […] users are at risk almost on a daily basis. […] I am not even sure I can trust that my own computer is truly secure despite the fact that it is behind an IDP/ Firewall device.” —Other forum user, January 2017

slide-38
SLIDE 38

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

“A keylogger on my device”

“If I happen to have a key logger on my computer

  • r if I use a public computer to access my account,

my entire account key could be copied by

  • someone. [...] I have 2FA set up on my email

account, so I have to authenticate using 2FA any time I'm not at home.” —Forum user, January 2017

slide-39
SLIDE 39

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

Alternative Auth

If a service uses access to a single factor for recovery or reset it is making it easier for attackers

slide-40
SLIDE 40

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

Weakening other factors

Using a second factor may give people confidence to use a weaker primary factor than they otherwise might.

slide-41
SLIDE 41

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

Weakening is fine

If the factor that people chose to weaken is important for more than just authentication, they may do serious damage

Except for when it isn’t

slide-42
SLIDE 42

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

Conclusions?

  • The security properties on any give MFA system

depend on many subtle things about the implementation, service, and threats

  • Using MFA in some circumstances may add only

tiny improvements to authentication security, but may encourage users to behave in ways that substantially weaken there security

slide-43
SLIDE 43

Jeffrey Goldberg jeff@1Password.com What does “MFA” mean?

Call for help

  • Can we give customers what they demand

without harming their security?

  • Can my speculations about user behavior be

studied and tested to see if my worries are justified?

slide-44
SLIDE 44

Table 1

Security Properties of different authentication schemes