What is this multi-factor thingy?

Authentication

The process of validating that a user is who they claim to be.

Factor

A piece of data taken into account when authenticating a user.

Generally divided into three classes, things you

• Know
• Have, or
• Are

Multi

From the Latin multi, meaning more than one.

(OK, so you probably knew that one.)

Why use multi-factor?

Extra Security

• Multiple factors are harder to steal/fake than a single factor

Appropriate Security

• Some factors may be more appropriate in certain situations than others

Variable Security

• Choice of authentication factors gives us room to vary them as needed.

Password

Everybody's favorite, but it really kind of sucks. Passwords are short strings of text - can be extended to longer "pass phrases".

Category: Something You Know

How Passwords Are Used

• Creation
  1. User enters password
  2. Server creates and stores a one-way hash of the password
• Validation
  1. User enters the password
  2. Servers creates one-way hash of the password, compares it to stored version

Passwords Pretty Much Suck

• Hard to do right on the server side
  • Have to use a strong password-derivation function
  • Can't just store in plain text
  • Can't just email passwords when people forget them
• Need to be complex to prevent password cracking
• Need to be different for each site in case the server is not doing it right
• Easy to shoulder-surf
• Users need to use password managers and randomly generated password to have any hope

Biometrics

Identifying via unique bodily features. This commonly includes fingerprints, voice prints, facial recognition, and retinal/iris scans.

Category: Something You Are

How Biometrics Are Used

It varies by type, but typically works like this

• Creation
  1. User takes one or more scans of the feature being used (voice sample, selfie, etc)
  2. Server creates a model based on the data
• Validation
  1. User takes a scan of the feature being used
  2. Server does a fuzzy match against the stored model, checks for a certain threshold (e.g., 80% match)

Biometric: Fingerprints

Fingerprints are the most common kind of biometric, so let's take a closer look:

• Good
  • It isn't easy to shoulder-surf a fingerprint reader
  • Modern fingerprint readers aren't super-easy to fake
  • User always has fingerprints available
• Bad
  • They get left behind on many surfaces, which makes it easy for bad guys to copy and use with many scanners

ID Cookie

Cookie containing an tamper-resistant identifier.  Often set after a different auth factor is validated, and used in place of that in the future.  Longer-lived than a session cookie.

Category: Something You Have

What goes in these cookies?

• Encrypted token
  • Tamper resistant, since client doesn't know the key
  • ​Could be as simple as your user name
  • Device fingerprint, in more advanced implementations
• ​Server may or may not store any data
  • ​No need if everything fits in the cookie

Device Fingerprint

A collection of information about your device.  Goal is to get enough detail to uniquely identify a device, to a high degree of confidence.

Category: Something You... Have?

Using Device Fingerprints

Two main ways to store these:

• On the server
  • ​In a database
  • When user logs in, compute new fingerprint, compare it to stored on
  • User may have multiple devices, so generally need a device ID cookie to pair with this
• On the client
  • ​In a cookie
  • Data is encrypted so user can't modify it
  • Every device sends server its own previous fingerprint, no need to more bookkeeping

Location

Physical location of the user.  Could be part of a device fingerprint, or a standalone auth factor.

Category: Something You... Are?

Location Sources

• IP Address
  • Server looks up your IP in a database
  • Accuracy depends on your ISP and the geolocation DB
  • Fails for devices behind a proxy
• Cell Network
  • Phone reports visible towers and signal strengths
  • Server looks towers up in a database, calculates
  • Accuracy depends on how many towers you see and how good the DB is

Location Sources, cont.

• WiFi
  • Similar to cell geolocation
  • DB is based on driving around and mapping WiFi routers
  • WiFi routers have lower range than cell towers
  • Accuracy depends on DB and how much WiFi is around you
• ​Bluetooth
  • ​Similar to WiFi
• GPS/GLONASS
  • Device uses satellites to determine location
  • Best accuracy when outdoors
  • Poor performance when indoors

One Time Code

Single-use code, typically 6 or 8 numbers/letters, which the client and server agree on through some out-of-band mechanism.

Category: Something You Have

Two main uses:

• Verifying that a comm channel is controlled by a user
• Authenticating a user by means of a previously-verified comm channel

Two main types:

• Random code generated by server and sent to client
• Independently-generated based on pre-shared secret (HOTP/TOTP)

Verifying a Comm Channel

OTC via random number

Not much to it:

1. User enters user name
2. System generates a random code and stores it
3. System send code over known channel
4. User inputs code
5. System verifies code was previously generated for that user

This proves that whoever has access to the user account also has access to that user's comm channel.

HOTP

HMAC-based One-Time Password

• Used by Symatec VIP, Google Authenticator, and similar
• Server never has to send a code
  • Protects against snooping on the server->client communications
• Based on a shared secret and some crypto
• Architecture options:
  • Server can directly verify 
  • Server can have trusted 3rd-party verify user
• RFC 4226 draft standard
• Crypto ensures that key is safe
  • Even if attacker collects hundreds of codes

HOTP, cont.

Setup:

• Server generates a secret key and sends it to the client
• Server and client create a counter and initialize it to 0

Usage:

• Client activates code generator
• Client generates code via HMAC(key, counter) and increments counter
• Code is sent to server
• Server independently generates code and increments its counter
• Server compares codes - if they match, authentication is successful

HOTP, cont. (2)

This proves that the user/device that generated the code is the same user/device who received the key during setup.

Risks:

• Client and server counters can get out of sync
  • Resync
    • Client sends server a few sequential codes
    • Server generates thousands of codes
    • Server locates client codes in code stream, resets counter
• ​​Secret key can be stolen from client
  • ​Store key in secure hardware

TOTP

Time-Based OTP, extension of HOTP.

• Almost exactly the same as HOTP
• Counter value is derived from current time
  • E.g., (unix time) / (time chunk size)
• Time chunk is typically 30 seconds

Risks:

• Client/server clocks may be out of sync
  • Can simply require client and server to fix their clocks
  • Server can try to guess how much the client is off
• Code can expire while user is submitting
  • Grace period, accept 1 or 2 codes from the past
• ​Code remains valid for entire time chunk
  • ​Log used codes

3rd-Party TOTP

Symantec VIP exposes TOTP as a service

• Token Setup:
  • Token service creates HOTP key and sends it to client
  • Also sends token ID
• ​Token Registration:
  • User submits token ID to site along with one or two codes
  • Site forwards token ID/codes to service
  • Service tells site whether codes were valid
  • Site stores token ID <> user ID mapping​
• Token Usage:
  • User submits user ID and code to site
  • Site looks up token ID from user ID
  • Site sends code and token ID to service
  • Service tells site whether code was valid

Heartbeat

Heartbeat pattern is unique.

Category: Something You Are

Heart rate monitor can read your heartbeat and use it like a fingerprint.

Heartbeat: How It Works

• No actual implementations yet, sorry
• Not even sure if this is practical