by Chris Bonatti, IECA of Casper, WY
There are many security services that can be deployed to protect your information assets, but authentication is foundational. Essentially all the other security services, from authorization to access control and confidentiality, are impossible to provide in its absence. Without strong authentication you cannot deliver a secure service.
Passwords notwithstanding, the most common technology leveraged as part of MFA or 2FA are one-time passwords (OTP). Of course, there are good and bad ways to do this. One good example are Open Authentication (OATH) tokens. OATH is the standardized inheritor of several proprietary OTP technologies, and supports an event-driven or counter-driven Hashed Message Authentication Code (HMAC) based OTP (HOTP) algorithm (see RFC 4226), and a Time-based OTP (TOTP) algorithm (see RFC 6238) based on the HOTP definition.
OTP tokens generate one-time values independently, but in synch with a server implementation, providing a sequence of onetime values that are difficult (if not impossible) to reproduce. Such tokens represent something you have.
A slightly weaker form is an authentication app, either on your phone or PC, to generate the same OTP code. A bad example, is the common practice of transmitting an OTP code to a user’s cell phone via text message. This has the advantage of being easy to implement, because the same server that generates the code also validates it. So there is little or no interoperability risk, and the codes can (in principle) be generated by little more than a random number generator.
However, the act of transmitting an OTP code to the user is inherently unsafe, making it possible for eavesdroppers or malware to intercept the code. This transforms the whole scenario from something you have into something you know.
In fact, this common practice is so bad that the National Institute of Standards and Technology (NIST) deprecated and later banned the practice for the federal government in NIST SP 800-63B.
So what do you do?
One of the best and easiest technologies to leverage as part of an MFA or 2FA strategy is the Fast Identity Online v2 (FIDO2) standard, which uses device identity to harden the authentication process via the something you have factor.
FIDO2 is good because it’s simple, and widely supported. It provides for a per-device unique secret key, and a protocol for that device to supply a keyed authentication code on demand. This can be used to verify that a specific device is part of an MFA operation.
All modern Android phones embody a FIDO2 token, Google’s Titan security key is a FIDO2 device, and scores of websites, social media, and other applications support it (including the aforementioned Twitter, Facebook, and Google).
The FIDO2 standard provides the means for requesting and receiving an authentication code from a locally attached or remote device, and the crypto for validating the code.