BYU logo Computer Science
CS 465 Introduction to Security and Privacy

Multi-factor authentication

One-time passwords

  • generate a list of passwords, each good for one time only
  • useful for recovery codes
  • can generate and print/save
  • can send via text messages
    • SMS is vulnerable to SIM swapping
  • vulnerable to pre-play attacks
  • vulnerable to phishing and MITM attacks

Lamport hash chains

  • developed by Leslie Lamport, also the inventor of LaTeX, the Paxos consensus algorithm, lots of other stuff
  • see Figure 3.3 and Equation 3.4, page 67
  • must be seeded with a shared random number
  • work backward from t repeated hashes
  • an intercepted password doesn’t help the attacker know subsequent passwords because the hash is one-way

Passcode generators and TOTP

  • see Figure 3.4, page 69
  • requires a secret to be shared
  • used as input to a function, along with a challenge
  • if the challenge is the current time, this is a time-based one-time password (TOTP) — very commonly used as a second factor, e.g. Duo, Google Authenticator
    • be sure your TOTP generator backs up the shared secrets, otherwise if you replace your phone, you will have a hard time accessing your accounts!
    • see RFC 6238 for the TOTP spec
  • again, intercepting a password doesn’t help the attacker know future passwords

Hardware tokens

  • USB cards, sart cards, and other physical objects that can securely store secrets and generate tokens for use in a challenge-response protocol
  • e.g. can hold an RSA signature key pair
    • A tells B it wants to login using VA
    • B sends a random number rB
    • A chooses random number rA and responds with signature SA(rA, rB)

Multiple factors

  • see Figure 3.5, page 70
  • different categories are more likely to be independent
  • what if you use your phone for everything, including password manager, TOTP or Duo second factor? are you still using MFA?
  • when combining factors, their combined security should be stronger than each individually
  • when combining factors, inconvenience can add up
  • second factors can be triggered by a signal, such as a missing browser cookie, new IP address or location

Biometric authentication

  • advantages — nothing to carry, no cognitive burden, ease of use, scalability
  • disadvantages — can be compelled or done while sleeping, can’t be changed/revoked, can be “stolen”, false accepts and rejects
  • what you are vs how you act
  • not secret! rely on a trusted input channel
  • see Table 3.2, page 72
  • enrollment involves identifying features
  • login involves creating a matching score, and a threshold
  • see Figure 3.6, page 74
  • understand Figure 3.7, page 75

Passwordless FIDO2

  • hardware security keys — see Yubico

    • generate a public/private keypair for each website you use
    • prove ownership of the private key in a challenge

  • Passkeys

    • same technology, but keypairs are encrypted and stored in a cloud account, e.g. Apple Keychain

    • similar to a password manager, but for cryptographic keys

    • Apple requires 2FA on your account if you are going to store Passkeys there

    • see Google

    • see Apple and About the security of passkeys

    • see Microsoft

    • see 1Password

  • Both are resistant to phishing, brute force attacks, password breaches