Password in the context of MFA


#1

I am sure this is a beaten topic. However need some clarity.

I met a ciso who insists he got enough factors( gadgets otp gen and faceid) in his system that he threw away password. Is this the right approach.?

Yes, no password to login and all gadgets based.

What are drawbacks, if any? Asked what if the gadgets are lost or stolen or compromised.? He simply smiled and said it won’t happen

Is first factor (using brain) any value (this need not map to a static password) here? What is the justification?

Btw Apple still uses passwords + other bio. Any idea why?

Thanks in advance on your scholarly feedback


#2

I’m not a “smart” device owner - therefore, I do not like MFA the required them. Also, weak, or strict password should be designed by the owner, not by random IT rules. For dynamic password, I wounder why not allow some simple math formula in password like using the current date, time like: MinEP\m\-\d
Let say \m is current minute, \d is current day, \- is subtraction. This would be very hard to attack, It need to be attack more than once in other to figure out the “formula”.


#3

Great feedback Nhat Khai! Spot on, couldn’t agree more.

Now the next question is: Since we are so addicted to passwords, who would be obsessed with as to uproot the “traditional” password?

Definitely looking forward to see further feedback from this community.

Thanks and happy thanks giving holidays to all.


#4

Hi!

In my opinion, authentication is a matter of risk reduction (on both sides), not of perfection. The idea is to increase the certainty that a visitor is who they say they are and that they can trust a system. So, each “factor” in “multi-factor” authentication is there to mitigate a specific kind of authentication fraud for a certain amount of effort.

What they know (secret/password)

A visitor gives evidence that they are who they say they are by communicating a pre-arranged secret(s). To “fake” it, an attacker has to have stolen the knowledge from somewhere else.

Implementing a password is usually a simple technical task and well understood by the community. It’s akin to locking your car door and most users feel comfortable that it helps make them safe.

What they have (phone/email/SMS account)

A visitor has in their possession something that is usually only associated with the user they claim to be and they have “free” access to use it. To “fake it”, they have to have stolen the thing physically, cracked its security and received the message outbound from the system. If all devices of a user have this, the attack must be simultaneous on multiple systems.

Requiring possession takes a little more technical effort than a password and is akin to requiring a key for your car.

What they are (biometrics/face/fingerprint)

A visitor appears to be biologically the same as the person they say they are. To “fake it”, they have to have enough knowledge of the human’s physical attributes and control over the measurement apparatus.

Some cars have fingerprint sensors to open the doors much like a key. Others have digital passwords (PIN).

Who they know(social)

A visitor is vouched for by another previously authenticated user. To “fake it”, an attacker has to convince another person that they are “the real version” of the person. Humans are pretty good at detecting each other and whether someone pretending to be a relation is actually one.

This takes more technical skill to pull off and is akin to having a “garage manager” retrieve your car for you or a co-driver.

How they behave (UX analysis/key logging/access patterns/etc…)

A visitor must perform a task and that task is measured against prior behaviour. To “fake it”, an attacker has to know enough about a person’s prior interactions with a system to duplicate them.

This is by far the most difficult to implement technically. Having to perform such a test every time you got in your car could be onerous but is implemented for things that have higher consequences (e.g. pre-flighting or taxiing a plane where the performance becomes evidence of fitness to fly and multiple “experts” have to participate in granting permission).

Multi-Factor

So, while each of those measurements of authenticity can be spoofed, together they become very difficult to defeat. Difficult, of course, but not impossible.

Removing factors of authentication simply removes assurances and increases risk due to fraud. Risk of fraud has to be balanced against other factors as part of a security judgement by both users and operators.

The art of security UX is gathering assurance and making accurate statistical judgements without irritating or alarming the user. The more important security is to a user, the more likely they are to pay a premium to a service that demonstrates that it takes their identity seriously and artfully determines who they are.

If, for the specific users a CISO has, both sides feel that shared secrets (passwords) do not provide meaningful assurances (e.g. because biometrics also better assurance and better UX), while the others do, then that’s a risk call for them to make and it’s fine to do so.

IMHO, dropping a password is ok if there are enough other factors at play and users feel comfortable.

Hope this helps!


#5

James

Thanks for such a comprehensive feedback on MFA.

I guess we are answering the “risk” factor – so 2 followup items

  1. When does increasing the first factor makes sense, if at all, what are the use cases?

  2. When does trivializing the first factor makes sense?

Obviously, as long as you lock down your car keys safely in your wallet, you are good.
Hunker down you data center, as required by soc standards, that would definitely be a case of "locking your key wallet)

On the non-invasive bio-metrics, Face and finger, they are not even secrets; you leave your residue every where in this digital age (lots of of cameras and leave prints everywhere). All this perhaps boils down to keeping gadgets safe and hoping gadgets are not vulnerable/intercepted (depends on attack vectors).

what triggers such back-forth guidance is confusing at best


I guess using “risk” as the target, we can argue both ways. But any specific use cases for both (if they warrant) would be definitely be helpful

best

PS: (I dont work for cyclonis)


#6

Hi!

  1. When does increasing the first factor makes sense, if at all, what are the use cases?

To me, the major criteria are:

  1. When it makes users feel more secure.
  2. When it reduces authentication risk.

When it makes users feel more secure.

There are a whole host of password standards and being compliant with them can provide strong assurances that a site is trustable. Without passwords, the application must convince a user that not having passwords is a good thing. Not all users will be easily persuadable. Often it’s easier to just have a password and be compliant rather than having to “sell” your security all the time.

When it reduces authentication risk.

The major (and obvious) case for passwords is when the other factors can’t be present. Not all users have biometric hardware so biometrics may not be available all the time. Not all services have inter-user communication so social may be out. Not all services have behaviour analysis. Etc… Often, the ONLY assurance that can be gathered as evidence of identity is a password.

  1. When does trivializing the first factor makes sense?

IMHO, when there are other factors present, the users are comfortable using them, entry is cumbersome and/or it provides little additional assurance.

For instance, instead of making me recite a secret phrase and call home from my cell phone, my wife can just open the door when she sees me.

On the non-invasive bio-metrics, Face and finger, they are not even secrets

Right. That’s why it’s a “risk reduction” and not perfection. In isolation, each factor has its share of weaknesses. The power in MFA comes from the need to do multiple (ideally, opposing) things simultaneously.

While the current implementation of fingerprints and facial recognition often boils down to a password, it doesn’t have to. For instance, in many buildings to get “buzzed in”, a person needs to look at a camera and confirm a face. Fingerprints and cameras are used in our legal system to provide evidence of presence.

There is an appropriate amount of automation in security as well as an appropriate amount of human judgement. The two work together.

All this perhaps boils down to keeping gadgets safe and hoping gadgets are not vulnerable/intercepted (depends on attack vectors).

Gadget possession forms only part of identity. It’s evidence but not certainty which is why “multiple” factors are preferred. It’s not that we hope “gadgets are kept”, it’s that we design systems where several things have to be cracked simultaneously before fraud is a significant possibility.

Make sense?


#7

We are on the same page. I believe there is a third factor that you mentioned elsewhere is the ux/friction, which is what most of US banks are dancing around rather than for security (my opinion, based on lots of facts :slight_smile:

Assuming that we have 1 & 2 satisfied (“theoretically”), any light you can shed on use cases that additional friction warrants the use-case of providing 1 & 2 above?

In the consumer space, imho, where the risk is little, it works. For example Yahoo introduced “echo back our sms txt on your phone” and you are logged in (no passwords). Btw, NIST has put sms on deprecation path for any that is worth protecting.

Also, carrying “multi” factors is cumbersome and prone to lost/stolen use cases. Behavioral metrics at best provide only certain confidence and prone to “by inherent system characteristics” false +/-ves

So I guess we are moving into “defense in depth” strategy but keeping “risk” as the ultimate goal. For whatever reason, most of the use cases IMHO, fallback to strengthening first factor, if anything is done over Internet ('could be wrong here on this)

Any further feedback from other gurus in this community, much appreciated. Good day.


#8

Hi!

I believe there is a third factor that you mentioned elsewhere is the ux/friction

In this respect, I don’t consider the individual authentication “factors” to be a UX consideration. We should always strive to have good UX given the security constraints.

However, the security constraints themselves I think should be a risk calculation - given the evidence, how likely is an authentication to be fraudulent? Is that enough evidence given what is being protected?

And then work back from the evidence required to protect the system to crafting a great UX to get it.

Make sense?


#9

I would think password is still necessary for the same reason a PIN is still used (sometimes, depending on circumstances). On Windows 10, your PIN can be alphanumeric… which makes it a de-facto password from my perspective.


#10

I dont disagree, but even if you increase a step, you definitely will see noise in the context of user experience (ux). Only thing that works is enforcement – in the consumer space, unfortunately big govt, in the enterprise cxo s. If that compliance enforcement reemphasizes the risk acceptance.

Definitely, I see the same echoed by Matt Green @ John’s Hopkins

The comments there, in the article are most interesting to me though :slight_smile:
-best

PS: I dont work for YubiKey, nor I intend to use it in future unless enforced on me :slight_smile:


#11

Hi!

In my opinion, not all “noise” is painful for all users. I think that’s the art in security UX!

For instance, I always “tug” on a pad lock or door to ensure that it’s actually locked after I’ve locked it. It’s an extra step, but it makes me feel secure. Stopping it wouldn’t really change my actual security, and would definitely speed up the “lock” operation, but it would make me doubt the security a little bit more.

In an authentication design, we can do things that are visible to the user (like require a password / PIN even if it doesn’t add any actual security) to make them feel safer while doing other things (like behaviour analysis
or asking for references from others) that they don’t know about that make them actually safer. In some cases, the password/PIN itself is irrelevant but the WAY that it’s entered gives us extra information to help judge the attempt.

I don’t understand this point. Can you elaborate?


#12

Obviously we live in two different parts of the world :slight_smile: Not every one takes security seriously :slight_smile:

As a result of Regulation E by fed reserve, consumers care much less of the online security. I hear a perverted argument “why do I need to take security seriously while my bank will take care of it”. And all these come from … :slight_smile:

To magnify this, in the consumer market no one would be open to what Nhat Kai suggested, by any long shot. That is where we hear a lot of hypothetical critique that is a lot of friction :slight_smile: Will leave this sub-thread here.

On the enterprise end, each org has its own risk acceptance for what it is doing business and threatscape it is tackling and hence drive by their risk appetite.

I guess we have converged on several, surprisingly, risk alignment, when 1st factor enhancement can help/welcomed.

Thanks again for a very insightful discussion.

-best