3

I was told at university that there exists a difference between the terms Multi Single Factor and Multi-Factor:

Multiple single-factor-authenticator are presented to a verifier. Each of them will need to be a single authenticator (and therefore contain a secret).

Multi-factor authenticator are used to protect a single secret, that will be presented to the verifier during an authentication protocol. The additional factors are used to protect the authenticator (secret) and need not themselves be authenticators.

I'm having troubles understanding the differences and consequences security wise.

Do I understand it correctly, that under the definition above, the typical ebanking login process by using a password (shared secret 1) and a hardware crypto token (RSA token) (shared secret 2) would be a multiple single factor authentication. On the other hand, under Multi-Factor-Authentication, I can only imagine a hardware token that needs a fingerprint and a pin to generate a one time password. Is that correct?

Question: What is more secure and why? Is the fact, that Multiple Single Factors use multiple shared secrets better or worse than protecting a single shared secret with multiple factors?

Improve this question
2
  • 1
    I'm thinking "multiple single-factor-authenticator" might be a made-up name for an implementation-specific combined password field; e.g. "Enter your secret 6-digit PIN followed by the 6-digits displayed on your hardware token". But I think the real answer will have to come from your uni professor. If you would be so kind as to post the answer here after your prof has clarified, that might help the rest of us understand better, too. Thanks!
    – John Deters
    Commented Oct 18, 2016 at 15:15
  • In this definition the "Multi-Factor-Auth" would be a SSH key protected by a passphrase. But his sucks. As the Authenticating Service does not controll the passphrase. And the AS can not be sure, if the user handles the passphrase securely. Thus in this specific case the Multi Single Factor (although it hurts to call this) would be more secure, since the Authenticating Service controlls both factors.
    – cornelinux
    Commented Oct 23, 2016 at 21:30

4 Answers 4

Reset to default
5

This definition you share for multi-factor authentication does not meet the commonly accepted industry definition. Multi-factor just means that two or more factors, typically from different categories of authenticators, are used to authenticate. It isn't specific regarding whether these factors unlock access to a local 'secret' that is used for further authentication or sent directly to the authentication server.

Either scenario still involves multi-factor authentication. What these factors unlock as far as secrets, session tokens, or the like shouldn't really affect their name.

I can't say I've ever heard the term "multiple single-factor-authenticator" before. I'd interpret this to mean you have a system that uses two factors from the same category, e.g. a password and a PIN.

Multi-factor authentication is generally going to be more secure than single factor because it should be more difficult for an attacker to compromise multiple factors. They might be able to guess your password, but it is more difficult to both guess it and obtain a valid OTP tokencode.

Improve this answer
0

I've read your question several times and it still seems like a word salad to me. I've been working in internet banking for 20 years and those terms all seem wrong to me.

Terms are important because regulatory compliance (PCI-DSS and FDIC, most importantly) are central concerns. From the FDIC guidance:

Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (i.e., something the user knows); whereas, an ATM transaction requires multifactor authentication: something the user possesses (i.e., the card) combined with something the user knows (i.e., PIN). A multifactor authentication methodology may also include “out–of–band”5 controls for risk mitigation.

As you can infer from the above, an MFA system typically will draw from two or more categories of the following:

  • Something the user knows (e.g. a password)
  • Something the user has (e.g. a token)
  • Something the user is (e.g. biometric, like fingerprint)

I am not sure what a "verifier" is in your question. Intuitively to me a verifier is a system that validates an authentication request, but I'm thinking to your professor the verifier is the client or user.

I am not sure what is meant by "authenticator." The term may refer to a system that performs authentication (e.g. an eBanking server) or it may refer to a time-based token generator (hardware or software) that is provided to an end user (e.g. an RSA fob, or the authenicator app provided by Blizzard for people who play World of Warcraft or Overwatch).

In no case is the intention of authentication to protect a secret. The purpose of authentication is to establish the identity of an agent (user or system) who wishes to use a service.

At risk of confusing you, I'm guessing that your professor is drawing a distinction between MFA that is presented simultaneously versus MFA that are presented in series. Presenting them in series has the advantage of protecting the second factor from MITM or replay attacks, because it can be different each time. For example, if a bank asks you for your password, and then and only then asks you to answer a challenge question, a hacker might intercept the answer to both, only to find that when he attempts to use them, the challenge question has changed and the information that he captured cannot be used.

Improve this answer
0

From your description above, it sounds like what your professor is calling a multi-factor authenticator would be a system like a Chip and PIN terminal for credit cards, where the user must first insert their chip, then enter their PIN. The client terminal passes the PIN to the card, which then uses the PIN along with a secret key stored inside the chip to produce a single cryptographic message to be delivered to the bank's host computer. The bank's host cryptographically verifies that the correct PIN was used with the Chip, and so they authenticate the transaction which authorizes the transfer of your money to the store.

A multiple single-factor-authenticator would be a system where you are presented with two screens: enter your PIN, then enter the value from the token you carry in your pocket. Or enter your PIN, and press your thumb on the reader. The two factors are unrelated at the client end of the transaction; both are independently verified by the host system. The host does not validate the transaction until both authenticators are independently verified.

What your description is glossing over is that a Chip in a "multi-factor authenticator" Chip and PIN system is actually capable of performing a single factor authentication right there on site, without the benefit of the host system. Entering a wrong PIN will cause the Chip to refuse to communicate. Entering three wrong PINs and the Chip will lock out the user until the card is reset by the bank. So there are still two independent authentications, PIN to Chip (local), and Chip to bank (remote). But only one (stealing the PIN) can be stolen by an attacker.

The primary difference is that the Chip is a local representative of the Bank. It's like having a tiny banker in your pocket. Your bank doesn't trust the terminal, it doesn't trust you, it only trusts their tiny banker. So your communication with the Chip is single factor authentication (the PIN). The Chip uses both your PIN and its internal secret to authenticate you to the bank in a single message. In this system, the bank barely has to trust the terminal at all. The terminal can even be compromised: imagine using your Chip card at a store run by a thief, where his evil terminal copies your PIN and your card number. But just knowing your PIN and card number is not enough to steal from your account - the bank won't authorize on PIN and card number, they only authorize their Chip's message and card number. And your Chip will only talk to the bank while it's in the reader. Take the Chip out, and it's secure again.

The multiple single-factor-authenticator would be two separate messages. A thief's store could steal your PIN, and then steal the number you entered that was displayed on your token. Or they could steal your PIN and make a copy of your thumbprint. The attacker could then replay those messages to authenticate themselves as you to a different host. In this case, all trust exists in any system that can intercept both messages.

There have been other commercial systems that turned multiple single-factor-authenticators into multi-factor authenticators in hardware. A few years ago a company marketed a thumb reader/PIN pad device, where the user entered a PIN and pressed their thumb on a screen. Note that while a thumbprint can be copied, and a PIN can be copied, the device combined the PIN and a "hash" of the thumbprint with a cryptographic algorithm (based on a secret key embedded in the reader) and sent a single authentication message to the host. So someone intercepting the message could recover neither the PIN nor the thumbprint from the message. A thief could still present a fake thumbprint to a reader, however; and a reader could be a fake that steals the full image of the thumbprint and the PIN, but these are attributes of the factors, not of the system.

Improve this answer
-3

The key difference between the two is the number of factors used during the authentication process.

The principle behind two and multi factor authentication is to ensure that the user being authenticated is providing an additional and complementary means of confirming their identity, and therefore is intended to provide something in addition to what is provided when single factor authentication is used (typically using a username and password).

Usernames and passwords are an example of a knowledge based factor that is typically referred to as the factor “something you know”. When using two factor authentication you would include an additional factor from “something you have” (normally a mobile device or hardware token), “somewhere you are” (location based authentication) or “something about you” (a biometric such as fingerprint, face scan, your voice pattern or perhaps your typing style), or a behavioural factor (using machine learning to detect “Something you do”).

The level of security can vary based on which factors are selected, how well the staff are trained and the how well secured any authentication devices are (for example if mobile phones are used then are how well protected are the devices from viruses, and if SMS services are used, how well protected are they etc.).

Multi-Single factor would be multiple examples of the same factor. As an example, in the factor type of "Something you know" you might have provided multiple answers to questions such as "Mother maiden name" and "town of birth" and may be asked several of these questions during authentication but given they are all of the same type you have still only provided a single factor during authentication.

Disclosure: I work for Deepnet Security, a company that provides multi-factor authentication solutions.

Improve this answer
2
  • The link you provided is to your company's site. Please ensure you disclose your relationship to links you post.
    – schroeder
    Commented Aug 16, 2019 at 13:06
  • You answer not the question that was asked.
    – mentallurg
    Commented Aug 17, 2019 at 0:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .