2FA vs MFA

•  Two-Factor Authentication vs. Multi-Factor Authentication: What Are the Risks

Business networks are crucial to protect, so firms want only authorized people accessing them.

In cybersecurity, authentication means verifying that a person or device is who they claim to be.

It usually involves checking the identity claim against what's called a factor. 

This could be a password, a biometric identifier (a fingerprint, an iris scan), or the ability to control a trusted piece of equipment such as an electronic ID card or a cell phone.

Single-Factor Authentication

A user has a password and types it in. 

An analogy in the physical world might be a person using a key or code to unlock a safe.

Two-Factor Authentication

It's the simplest type of multi-factor authentication.

With 2FA, users have to supply two distinct proofs of identity to gain access to the network. 

Usually, this includes a password and control over a trusted cell phone. 

For instance, with Twitter, users employing 2FA first enter their passwords and next, receive an SMS authentication message from Twitter with a six-digit code to input.

Multi-Factor Authentication

The term multi-factor authentication (MFA) means there are more than two factors involved.

For every factor of authentication you add, you boost security, but at the cost of making your user experience worse.

MFA systems can also be cumbersome for IT teams, who have to manage integrations with multiple applications or systems.

Adaptive Multi-Factor Authentication

Adaptive authentication means the system is flexible depending on how much risk a user presents.

For example, if an employee is working on the company premises and uses a badge to get through security to her office, Okta will recognize that she is in a trusted location, and that she has permissions to proceed. 

If that same employee is working from a coffee shop, the system may prompt her for an additional security factor when she goes to log in remotely, since she’s not in a trusted location. 

Or, it could present an additional MFA challenge if the user was working from a personal laptop instead of a company device.

https://www.okta.com/blog/2016/12/two-factor-authentication-vs-multi-factor-authentication-what-are-the-risks/

• What Are the Different Authentication Factors?

Whether a user is accessing his email or the corporate payroll files, he needs to verify his identity before that access is granted. There are three possible ways this user can prove he is who he claims to be:

    Knowledge—the user provides information only he knows, like a password or answers to challenge questions

    Possession—the user supplies an item he has, like a YubiKey or a one-time password

    Inherence—the user relies on a characteristic unique to who he is, such as a fingerprint, retina scan, or voice recognition

Two-Factor Authentication vs. Multi-Factor Authentication (2FA vs. MFA)

The difference between MFA and 2FA is simple. Two-factor authentication (2FA) always utilizes two of these factors to verify the user’s identity. Multi-factor authentication (MFA) could involve two of the factors or it could involve all three. “Multi-factor” just means any number of factors greater than one.

https://www.helpsystems.com/resources/articles/whats-difference-between-two-factor-authentication-and-multi-factor

• MFA vs 2FA - What's the difference?

    Knowledge (e.g. Password, PIN; meaning something you know),

    Possession (e.g. Smart card, smartphone, wearable, cryptographic key etc.; Meaning something you have),

    Inherence (e.g. Fingerprint, iris scan, voice print etc.; Meaning something you are),

    Context (e.g. Location, what you do, how the user reacts, pattern etc.; Meaning something the user does in the context of his or her user life)

https://www.getidee.com/blog/mfa-vs-2fa

• Multi Factor authenticators (MFA)

This refers to using a single authenticator that requires a second factor to activate (MF authenticator) to achieve MFA or 2FA. For example, using a smartphone as an authenticator to access a website.The smartphone MUST be activated first using a PIN (knowledge) or a fingerprint(inherence) by the user. Then the key on the smartphone can be used to access the website.

Pros:

    The user is in full control of both factors especially when an MF hardware cryptographic device is used as recommended by NIST for AAL 3.

    No risk of keylogger or screen capture to harvest the user password on device, web or on mobile applications.

    An attacker still needs the second factor to be able to use a stolen MF software / hardware authenticator.

    MF hardware authenticator device is mostly offline – more difficult for an attacker to get.

    The Verifier is only concerned with securing one factor. The second factor is controlled by the user.

Cons:

    The second factor is on the same device. Where the second factor is verified locally e.g.OTP software generator on a smartphone, both the second factor and the secret key used to generate the OTP could be compromised at once.

    On the fly-phishing where an attacker captures for example the password and OTP provided by the legitimate user and uses it immediately for illegitimate access to the user resources. With MF authenticators only the OTP is captured (assuming the service provider is satisfied with multi factor using a single authenticator).

Single factor authenticators (1FA)

Pros:

    If one of the factors, say knowledge, is compromised it might not affect the other factor (e.g.OTP or crypto key) on the SF device. Although compromising the other factor might be trivial.

Cons:

    The user is not in control of where both factors (e.g.Password and OTP) are entered.

    The user password could be sniffed or captured with a keylogger, screen capture from the authentication device/application.

    An attacker could use phishing to deceive users into entering their password on fake sites/login forms. Especially users that use the same password on many services – this gives an attacker automatic access to the other accounts that use the same password.

    An attacker could reset the user account with just their password and email to associate a new second factor to the user account.

    The SF authenticator device/software is not protected – for example, SF OTP software on a smartphone, all the attacker need is to steal the smartphone or token and then could try to get the second via phishing, brute force, keylogger, screen capture, and maybe social engineering.

    On the fly-phishing: both single factors could be captured which could compromise the other user accounts.

    The verifier must manage at least two different authenticators for each user.

https://www.getidee.com/blog/mfa-vs-2fa

• Multi-factor authentication (MFA; encompassing authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is)

https://en.wikipedia.org/wiki/Multi-factor_authentication

password policy

•  NIST now asks for a minimum length of eight characters for human-generated passwords and six characters for machine-generated ones. To enable greater security for more sensitive accounts, NIST specifies you should allow for a maximum password length of at least 64 characters.

The guidelines prohibit sequential or repeating characters (like 3456 or zzzz) and prohibit dictionary words

Allowing special characters in passwords also promotes increased security. NIST SP 800-63-3 requires systems permit passwords to incorporate any ASCII or Unicode character (even emojis). Spaces are also supported to enable passphrases

systems should utilize special software to check a proposed password against a slew of previously exposed passwords from past breaches

Password fields must now allow a user to paste text in via a device’s copy-and-paste feature. This enables compatibility with password managers which have numerous security benefits

stored passwords must be hashed and salted rather than saved as plaintext

the new NIST guidelines outlaw password hints 

Knowledge-based authentication (KBA)—such as questions like, “What street did you grow up on?” or “Who was your best friend in high school?”—are also no longer allowed. The answers are too easy to figure out, especially in today’s age of public social media

The guidelines removed password complexity requirements, and special characters and numbers are no longer needed

no longer required to change their passwords on a regular basis.

https://www.passportalmsp.com/blog/nist-guidelines-password-security

• Remove periodic password change requirements

Drop the algorithmic complexity song and dance

No more arbitrary password complexity requirements, needing mixtures of upper case letters, symbols and numbers

require screening of new passwords against lists of commonly used or compromised passwords

ratchet up the strength of your users’ passwords is to screen them against lists of dictionary passwords and known compromised passwords.

https://www.alvaka.net/new-password-guidelines-us-federal-government-via-nist/

• Through 20 years of effort, we have correctly trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess

https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity

• NIST now requires a minimum length of eight characters for user-generated passwords and six characters for those that are generated by a machine

NIST now requires systems to permit passwords that contain special characters, even emojis and spaces. The new guidelines prohibit sequential (ex: 1234) or repeating (ex: aaaa) characters and dictionary words

Password fields must now allow users to paste text using a device’s copy and paste feature. This affords users the opportunity to use password managers, which can greatly increase security. 

Stored passwords must also be hashed and salted (security measures similar to encryption).

NIST has completely outlawed the use of password hints. Knowledge-based authentication (KBA) questions like “What street did you grow up on?” are also no longer permitted. The answers to these are too easily found over the internet, and can easily lead to a breach.³

frequent password changes are counterproductive to good password security. NIST recommends removing this requirement, which should increase usability and make password security more user-friendly.

NIST recommends minimizing password complexity requirements, like the necessary inclusion of upper case letters, symbols, and numbers.Reducing password complexity can be another great step on the road to better security practices that employees find easier to manage

A commonly held security practice is screening your users’ passwords against lists of commonly held passwords and known compromised passwords. NIST recommends you utilize software that can check proposed passwords against previously held or exposed passwords

https://www.totalhipaa.com/password-guidelines-updated-by-nist/

• particularly that forcing complexity and regular changes is now seen as bad practice

Verifiers should not impose composition rules e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters

Verifiers should not require passwords to be changed arbitrarily or regularly e.g. the previous 90 day rule

Passwords must be at least 8 characters in length

Password systems should permit subscriber-chosen passwords at least 64 characters in length.

All printing ASCII characters, the space character, and Unicode characters should be acceptable in passwords

When establishing or changing passwords, the verifier shall advise the subscriber that they need to select a different password if they have chosen a weak or compromised password

Verifiers should offer guidance such as a password-strength meter, to assist the user in choosing a strong password

Verifiers shall store passwords in a form that is resistant to offline attacks. Passwords shall be salted and hashed using a suitable one-way key derivation function. Key derivation functions take a password, a salt, and a cost factor as inputs then generate a password hash. 

Typical components of a password policy include: 

Many policies require a minimum password length. Eight characters is typical 

the use of both upper-case and lower-case letters (case sensitivity)

inclusion of one or more numerical digits

inclusion of special characters, such as @, #, $

prohibition of words found in a password blocklist

prohibition of words found in the user's personal information

prohibition of use of company name or an abbreviation

prohibition of passwords that match the format of calendar dates, license plate numbers, telephone numbers, or other common numbers

Password block list

Password block lists are lists of passwords that are always blocked from use.

should no longer be used because they have been deemed insecure for one or more reasons, such as being easily guessed, following a common pattern, or public disclosure from previous data breaches.

Common examples are Password1, Qwerty123, or Qaz123wsx

Password duration

This policy can often backfire. 

so if people are required to choose many passwords because they have to change them often, they end up using much weaker passwords; the policy also encourages users to write passwords down.

 if the policy prevents a user from repeating a recent password, this requires that there is a database in existence of everyone's recent passwords (or their hashes) instead of having the old ones erased from memory. Finally, users may change their password repeatedly within a few minutes, and then change back to the one they really want to use, circumventing the password change policy altogether.

 frequently changing a memorized password is a strain on the human memory, and most users resort to choosing a password that is relatively easy to guess

 Users are often advised to use mnemonic devices to remember complex passwords. However, if the password must be repeatedly changed, mnemonics are useless because the user would not remember which mnemonic to use. Furthermore, the use of mnemonics (leading to passwords such as "2BOrNot2B") makes the password easier to guess

 

 Requiring a very strong password and not requiring it be changed is often better.However, this approach does have a major drawback: if an unauthorized person acquires a password and uses it without being detected, that person may have access for an indefinite period.

 

 Password policies may include progressive sanctions beginning with warnings and ending with possible loss of computer privileges or job termination. Where confidentiality is mandated by law, e.g. with classified information, a violation of password policy could be a criminal offense

 Some systems limit the number of times a user can enter an incorrect password before some delay is imposed or the account is frozen

 Stricter requirements are also appropriate for accounts with higher privileges, such as root or system administrator accounts. 

 

 Usability considerations

 Inclusion of special characters can be a problem if a user has to log onto a computer in a different country. Some special characters may be difficult or impossible to find on keyboards designed for another language.

 

 Some identity management systems allow self-service password reset, where users can bypass password security by supplying an answer to one or more security questions such as "where were you born?", "what's your favorite movie?", etc. Often the answers to these questions can easily be obtained by social engineering, phishing or simple research.

 

 

https://en.wikipedia.org/wiki/Password_policy#cite_note-3