Does multi-factor authentication provide any additional security benefits on top of doing a better job at correctly identifying and authenticating users compared to single factor authentication? In other words, if a system could perfectly identify users based on say biometric cues, is there still a need for additional factors to authenticate a user? As a real world analogue, if I want to limit use of my car to only say my spouse and I'm confident I can recognize them with 100% accuracy, would there be any additional security benefits to having a password or a token type of device between us?
3
-
4One security benefit that can occur is notification. For example, if the first factor is a password and the second factor is to enter a code sent to your mobile phone, receiving a code on your mobile unexpectedly can notify you that your password is no longer secure.– Graham WagerCommented Aug 28, 2014 at 7:47
-
1I wish people would answer your question rather than attacking the assumptions. Your question explicitly states that the single factor authentication is both strong enough and error resistant enough to fulfill your authentication needs. Adding a second factor does not change that. I can imagine cases where a second factor might support subsequent authorization or policy enforcement, but that is outside the scope of your questino.– MCWCommented Aug 28, 2014 at 11:21
-
Yes, in the case of single factor authentication that's perfect, it should rely on fairly reliable data. If any part of the perfect single factor authentication presentation can be altered or is unavailable, the multi-factor authentication is a fallback. Pick a biometric cue. (just one?) Now, if that/those cues are able to be spoofed, altered, or unavailable, what is the fallback? (Someone the height and weight of your wife, in a masked costume -- is it her?) (She speaks) Over the phone, is it her or a recording? Even with biometric, you're using multiple clues.– SrJovenCommented Aug 28, 2014 at 11:37
Add a comment
|
6 Answers
"Biometrics" and "100% accuracy" are distracting the other people answering from the core question: "Are there any other benefits to MFA?" and that the answer is in fact Yes, there are other security benefits to MFA.
You're 100% certain you can identify everyone connecting to your site. You correctly reject an attacker attempting to brute force their way in. Many types of MFA, such as an SMS contact, allow you an out-of-band way to communicate with the authentic user to let them know their account is under attack. There are many reasons you might want to do this, even if both you and the user know their account is safe: To allow them to contact authorities and attempt to identify the attacker, for example.
Your system is 100% accurate today but may be compromised in the future. Reasons might include:
- You make use of a crypto system that is strong enough to discourage all attackers now, but in a decade, technological advances have made it cheap enough to break the crypto that it's now worth attacking. MFA means the crypto system is no longer the only point of failure.
- Perhaps when you say 100% accurate, you mean "This system is so hard to fool, that nobody would ever bother going to the expense of fooling it." (By creating a clone of your wife, for example.) This is an important distinction. If the value of information in your system increases dramatically at some point in the future, your security may now be inadequate, because the economics of breaking in have changed. MFA increases the expense further, improving your security from an economic standpoint.
- Your IT staff introduces a serious bug in a future version of the product; your perfect system no longer works when that happens, but MFA could continue to work.
Your system is 100% accurate in the sense that only the authentic user can access the account. However, the authentic user can be forced, under duress, to access their own account. MFA may provide a way out of this situation for the user. For example, if it requires a physical device which is time-locked or location-locked, and can't be accessed even under duress.
This one is probably the most generally applicable: Access is about both authentication and authorization, and an authentic user who is authorized to use the system today may get fired, and no longer be authorized to use the system tomorrow. MFA can provide a double-check that their account is deactivated correctly. For example, if they must turn in their keys, including their code-generating device used for MFA, deactivating their account becomes a secondary concern.
The value provided by these benefits varies based on the value of the information you're trying to protect, what type of MFA you're using, what type of primary authentication you're using, and so on, but the bottom line is that someone may find these compelling reasons to use MFA even in a "perfect" system.
-
1It occurred to me after posting this that the movie Coherence provides a hilarious contraindication to relying on a perfect identification system, and it even echoes the scenario in the original question. No spoilers. It's a great movie, I recommend it if you like thinky sci-fi.– CoryCommented Aug 28, 2014 at 8:19
-
2+1 for
the authentic user can be forced, under duress, to access their own account.. I immediately thought of xkcd.com/538 when I read the question– CruncherCommented Aug 28, 2014 at 13:36
If you are 100% certain you can, with 100% confidence identify your wife based on her biometric data and that there is a 0% chance of someone spoofing her biometric data, then there will be no benefit to using multi-factor authentication.
The problem comes in when the identifier, be it biometric data or username and password, can be leaked or spoofed. Imagine for a moment that you use fingerprints as the identifier. If someone were to lift her fingerprints or worse yet, her finger, they might be able to authenticate as her but if you have multi-factor authentication set up they will need to intercept her fingerprints and the second factor.
If you can come up with a single means of authentication that is absolutely fool proof (e.g. there is no way it can be hacked and it is always 100% accurate), then I don't see any additional benefit to multifactor authentication. However, in real life, I do not believe there is a system that is 100% accurate. For example, a person can steal a token, or overhear / watch a password entry. There may even be ways to fool biological recognition systems (e.g. consider an identical twin). For this reason, multifactor identification is currently very important to security.
-
2An unknown twin is something I hadn't thought about. Even a sophisticated test that could check say DNA would register a false positive authentication.– CowlbyCommented Aug 28, 2014 at 3:39
-
1Biological recognition mostly only compare similarity, which means you don't need a twin only someone similar. Cheap fingerprint scanners are easy to fool. A friend of mine regularly succeed to fake his father's finger print by pressing hard on the sensor and sliding his finger sideways. Commented Aug 28, 2014 at 14:45
Multi-factor authentication is an implementation of the principle "defense in depth". One particular authentication factor by itself is going to have its strengths and weaknesses against attack. So the goal of multi-factor authentication is that a second factor can compensate for the weaknesses of the first factor, and vice versa.
In reality that goal isn't always achieved, especially since some people define multi-factor authentication as any implementation of two factors, regardless of whether the factors are different types ('what you know', 'what you have', & 'what you are'). Implementing a password alongside a PIN isn't going to buy you much additional threat resistance since their characteristics are so similar.
So in your example of sharing car keys with your spouse, if you are biometrically authenticating them (visually, auditorily, behaviorally, etc.) there isn't much need for additional authentication against the threat of you handing your car keys to someone impersonating your spouse. If it suddenly gets easier to impersonate your spouse or the scenario changes (e.g. someones claiming to be your spouse texts you to leave your keys under the front mat) then you would have to reevaluate the risks.
As for your question about additional security benefits of multi-factor authentication, "non-repudiation" is the first thing that comes to mind. If you needed to supply more proof to an outside party that you did indeed give your car keys to your spouse, they might be more inclined to believe you if you could say she also provided another authentication factor. In the car keys scenario that proof is a little less likely to be necessary, but in other authentication scenarios (e.g. granting bank account access) it becomes more valuable.
-
+1 for
Implementing a password alongside a PIN isn't going to buy you much additional threat resistance since their characteristics are so similar.. A password + a pin, is identical to if you just make a password restriction, where your password must start with n numbers. And then whatever your actual password restriction is following it.– CruncherCommented Aug 28, 2014 at 13:31
Cribbing from my previous answer...
Authentication factors are 'something you know,' 'something you have', and 'something you are'. Something you know is something that you store in your brain. Passwords are the most common example, but it includes anything and everything that relies on your memory to know. You use your brain to remember your password. You use your brain to remember what image you selected.
Something you are refers to stuff about you that is inherent to you being you. Biometrics Are the most common example here. Your retina shape, your finger print, etc.
Something you have is a physical object in your possession. Examples include mobile phones, hardware tokens, certificates, printed challenge response 'bingo' cards, your car, etc.
You only get multi-factor authentication when you combine something you know, something you have, and something you are. You do not get multifactor authentication when you combine multiple elements of the same factor. A password and securid token combined make for multifactor authentication, because you know one and have the other. Two passwords combined makes single factor authentication because you know both. A password and pre-selected image combined is single factor authentication because you know both.
Single factor authentication does not provide the same security as multifactor authentication, no matter how hard you try. Different factor, by their very nature, provide different assurances.
Something you know is easy to remember - it must be in order to scale across many users. This makes it easy to provision. You don't have to physically distribute anything like a hardware fob, just ask people to remember a password. It's easy to forget a password and require reprovisioning. It's also somewhat hard to steal, since you can't dig into someone's brain and just take their memory, but theft does not require proximity (monitoring network traffic is enough to steal a password), key loggers work against it, and it's hard to detect that it's stolen. It's also easy to replace - just set a new password and be done.
Something you have is something you carry with you. This makes it harder to provision, since you now have to physically distribute a piece of hardware to everyone (or the equivalent with certificates), though this may be possible with mail or trusted courier. It typically requires expensive infrastructure, though cell phones carried by everyone mitigates that cost. It's easy to forget your hardware device at home, or at the main office during travel, etc, which requires backup infrastructure for temporary provisioning. Something you have is easier to physically steal, though now it requires physical proximity to take your hardware device out of your pocket. It's easy to detect that tit's stolen, since it is no longer in your possession. It's hard to replace, since you must re-provision with that expensive process.
Something you are is hard to provision - you need special, often expensive equipment to collect biometrics from your users. Your users may find that creepy, and might resist collection. You need physical proximity to collect samples. It's impossible to forget to bring biometrics with you - they are you! Depending upon the biometric, it can be difficult or easy to steal, but it's never secret. Your dna is left everywhere, fingerprints are left everywhere, retina is temporarily anywhere you look. Something you are is impossible to replace. You have two eyes, 5fingers (unless you have a birth defect or lost one or more fingers in an injury) and can never get new ones, so if they are compromised you cannot be reprovisioned new credentials. Nor can you get new credentials of the same type if you lose them all - if you lose both hands, you have no more finger prints.
You get strength by combining multiple factors, because this offsets the weaknesses of one factor. With only something(s) you know, you only get the strengths of what you know. Add some hardware that you have, and now theft becomes obvious at the expense of cost and usability.
-
Something you have is a physical object in your possession. Examples include mobile phones, hardware tokens, certificates, printed challenge response 'bingo' cards, your car, etc.How did you not mention a key?!?– CruncherCommented Aug 28, 2014 at 13:29
The point of mutlifactor authentication is that each element is in a distinct class. It's a matter of what level of assurance do you need in the authenticity of the user accessing the system.
As a real world analogue, if I want to limit use of my car to only say my spouse and I'm confident I can recognize them with 100% accuracy, would there be any additional security benefits to having a password or a token type of device between us?
Sure, if you are kidnapped or passed out, you may not want the attacker to hold up your thumb print, etc. Biometrics can also be copied, faked, etc in many cases. There are also no systems with 100% accuracy, there will always be Type I and Type II errors. A biometric may be enough for a particular system or scenario, but for something like access to the nuclear weapons repository you may want multiple factors.
Perhaps the person with biometric access goes crazy (like General Ripper in Dr. Strangelove). You try to stop him, but he is too strong. While he has you pinned down, you break his security token (something he has); he knocks you out and keeps going, but he can no longer gain access since he needed that second factor.
As a less fantastic example: You need key card access and a biometric scan to enter a facility. You're access is revoked. The biometric system is not network connected and it will be three days before the tech can come to reprogram the unit and remove your access. By taking away your key card, it no longer matter that you have biometric access because you no longer "have" the token.
...security benefits on top of doing a better job at correctly identifying and authenticating users compared to single factor authentication
It's not that it does a better job it's that it does it different ways and increasing the difficulty of forgery.
