Multiple-factor authentication system implementation

Introduction

Multi-factor authentication is one of the best measures a company can use to stop an attacker from obtaining access to a device or network and then potentially acquiring access to confidential data. Multi-factor authentication, when set up properly, may make it more harder for an attacker to obtain valid credentials and use them to gain access to a network and carry out additional attacks. Multi-factor authentication is one of the Strategies to Mitigation Cyber Security Incidents' Essential Eight because of how successful it is.
This document was written to help people understand what multi-factor authentication is, how it works, and why certain types of multi-factor authentication are more secure and hence more successful than others. Differentiating multi-factor authentication from multi-step authentication is also covered.

All remote access methods, all users carrying out privileged tasks, and all users accessing critical (sensitive or high-availability) data repositories should employ multi-factor authentication. Single-factor authentication techniques, such as passwords or passphrases, are vulnerable to brute-force assaults, whereas two-factor authentication uses a combination of these to increase security.

The value of using many methods of authentication.

In order to further their control over a compromised network, cybercriminals usually seek to obtain valid user or administrator credentials. With these credentials at their disposal, they may spread rapidly throughout a network and carry out hostile acts without resorting to further attacks, making them harder to detect. Virtual Private Network (VPN) credentials and other forms of remote access are attractive targets for attackers because they may be used to hide their tracks and evade detection.

When properly implemented, multi-factor authentication makes it far more difficult for an attacker to steal a user's credentials in their entirety by requiring the user to demonstrate possession or control over a second factor (such as a physical token, smartcard, or software certificate) (e.g. a fingerprint or iris scan).
In order to reduce the risk of security breaches and prevent users from becoming complacent and leaving their networks unprotected, multi-factor authentication must be implemented appropriately. For instance, if a company only uses multi-factor authentication for remote access solutions but not for corporate workstations, an attacker could compromise the username/passphrase from a remote access device and use it to authenticate locally to a corporate workstation or to propagate within a network after initially compromising a workstation on the network via spear phishing techniques. Multi-factor authentication is preferable to single-factor authentication in this case, but it still doesn't eliminate the need for properly hardened devices as part of a remote access solution.

The definition of MFA is provided.

To verify the identity of a single claimant against the credentials of a single authentication verifier, multi-factor authentication employs a combination of two or more authentication factors.
A multi-factor authentication request requires authentication factors from at least two of the following categories:
information known only to the claimant (such as a PIN, password, or the correct answer to a challenge question).
some asset the claimant may show (e.g. a physical token, smartcard or software certificate)

that which the claimant asserts (e.g. a fingerprint or iris scan).
A claimant may be any entity—human, machine, service, software, or other—that meets the system's requirements for authentication.

The authentication verifier provides access to a closed subsystem that only allows users who have passed a single technical authentication policy.
Passphrases are a popular addition to the following multi-factor authentication methods:

Physical one-time PIN (OTP) tokens, biometrics, smartcards, mobile applications, and universal 2nd factor (U2F) security keys are all examples of 2nd factor authentication.
Mobile phone software authentication through Short Message Service (SMS) texts, emails, or phone calls.

A multi-factor authentication technique ceases to be multi-factor if at any point it allows the user to decrease the number of authentication factors to a single factor. This occurs, for instance, when a public website gives the user the option to "remember this computer." A token may be installed on a user's device after they have been verified using multi-factor authentication, allowing them to authenticate with only a single factor (often a passphrase) going forwards so long as the token is still available and valid. Tokens are used to verify claims, and in this case, it is the user's web browser rather than the user themselves that is being validated. Accordingly, it fails to comply with the need for two or more authentication factors to authenticate a single claimant to a single authentication verifier. In addition, the token shares more with a session token than an authentication factor, making it unfit for authentication.

The Advantages of Multi-Factor Authentication over Traditional Authentication Methods
Multi-step authentication is a popular authentication method that is sometimes misunderstood as multi-factor authentication. Architecturally speaking, multi-step authentication is a method of verifying a user's identity via a series of authentication providers. Each layer of authentication provides access to more and more of the system, up until the user has full control over all of the resources they need. Multi-factor authentication verifiers are more secure than their single-factor counterparts, however any kind may be used.

There is no single point inside the system where two or more authentication factors are used to authenticate a single claimant to a single authentication verifier, making multi-factor authentication more secure than multi-step authentication. This means an attacker may gradually obtain access to sensitive data without ever needing to fully circumvent the system's multi-factor authentication. Since this is the case, multi-factor authentication cannot be replaced with multi-step authentication.

Think about using a method of remote access. To illustrate this point, consider the following diagram, which depicts a scenario in which a computer is authenticated to a VPN concentrator by means of an Internet Protocol Security (IPsec) certificate, a user is authenticated to the VPN concentrator via a passphrase, and the user is then authenticated to an Active Directory (AD) domain via a separate passphrase.

There is a demonstration of multi-step authentication in this situation, but no multi-factor authentication. Since the user and the machine are seen as two independent claimants when authenticating to the VPN concentrator, the usage of an IPsec certificate and a passphrase is not regarded to be two-factor authentication. Additionally, the VPN concentrator and the AD domain each need their own unique authentication from the user. This method is also not multi-factor authentication since it does not employ a variety of authentication factors and instead relies on a single authentication verifier.

An attacker may compromise the computer's IPsec certificate at one point in time, the user's password used to authenticate to the VPN concentrator at another, and the user's Active Directory credentials at a third. The danger involved with this method grows as the adversary gains access to more and more of the system over time.

Think about using a different method of remote access. The user in this case (shown in the figure below) authenticates to the VPN concentrator using a password and token-based one-time PIN. The remaining authentication procedures are the same as in the prior case.
Using a multi-factor authentication mechanism, this example illustrates a reasonably safe remote authentication architecture for the VPN concentrator. Single-factor authentication is used here in the form of the IPsec certificate on the authenticating machine. The remote access environment (using the user's passphrase and one-time PIN) performs the multi-factor authentication, which confirms access to the corporate environment (which continues to rely on the user's password for security).

Is there a universally reliable technique of using multiple authentication factors?
All of the multi-factor authentication techniques described here provide considerable improvements over the simpler approach of using only one authentication factor, although some are more reliable than others. The usage of a hardware token in place of a software certificate is an example of how multi-factor authentication may be improved by separating the authentication elements from the user's access device.

The authentication service (if a dedicated authentication server) should be hardened and isolated from the rest of the network to maximise the security efficacy of any multi-factor authentication approach used. There are at least these things that can be done to accomplish this:

Using the Strategies to Reduce Cyber-Incidents' Essential Eight (where applicable)

carefully considering which devices and users on the network can access the authentication service directly using any specific hardening advice provided by vendors, and then implementing appropriate network segmentation and segregation to limit the types of network traffic to and from the authentication service to only traffic required for its proper operation.

Methods of authentication using several factors
U2F keys for security

To provide an extra layer of protection, this multi-factor authentication technique makes use of a physical token or card (called a U2F security key or U2F authenticator). The user is prompted by their device's software to either push a button on the U2F security key or touch it through NFC (NFC). By signing a service's challenge-response request that was sent via a user's prefered web browser or mobile app, the U2F security key employs public key cryptography to confirm the user's identity. Afterward, the service checks to see whether the answer was signed with the right private key, if so allowing access to the resources requested.

To ensure the highest level of safety and efficiency while utilising this multi-factor authentication approach, the following precautions should be taken:
apply the Essential Eight from the Strategies to Mitigating Cyber Security Incidents to harden the devices being utilised (if applicable)
the implementation of any and all vendor-provided hardening recommendations

Users should be reminded to not keep their U2F security keys on their devices, particularly if they have NFC.

make sure that every time a user's U2F security key is needed to complete an authentication, they are sent a visual alert.

Always report missing or stolen U2F security keys as soon as possible and use only U2F security keys that have been certified to the most recent version of the U2F standard.

Tokens with unique PINs that are printed on metal and used just once

By displaying a time-sensitive one-time PIN on its screen, a physical token is used as a second layer of security in this multi-factor authentication scheme. The user may also be asked to enter the one-time PIN by pressing a button on a physical token that communicates with their mobile device. Each token and the authentication service share the same accurate time, and the authentication service is aware of the correct one-time PIN for all tokens it is servicing at any one moment. The authentication service checks the user's password and one-time PIN to determine whether to give or deny access to resources.

Make sure people aren't keeping actual tokens on their phones or computers
reduce as much as possible the period that a physical token's one-time PIN remains valid for use.

Users should be prompted to report missing or misplaced physical tokens as soon as possible.

Make sure users understand that they should never provide information about their physical token (such the serial number) unless they are absolutely confident it is being sought by their ICT support personnel.

Biometrics

Biometrics such as fingerprints or iris scans are used as a secondary authentication element in this multi-factor authentication system. During registration, the user uploads an image of their prefered biometric for the authentication service to use as a baseline. Authentication requires the user to provide a password and some biometric information; the service then compares the information entered with what was stored at enrolment, and either gives or refuses access based on the results. However, it should be emphasised that not all prospective users will be able to enrol in a biometric method because of the broad variety of individual variations.

Biometric matching is probabilistic rather than deterministic, and there is dependency on the biometric capture software placed on the user's device, both of which provide possible security flaws in this multi-factor authentication technique. Biometric capture software can be exploited by an attacker who has gained access to the user's device and has sufficient privileges to either intercept and replay legitimate authentication requests or to initiate fraudulent authentication requests on the user's behalf (within the limits of any anti-replay measures). In addition, biometrics' efficacy depends on the calibre of biometric readers and capture software to strike a reasonable balance between false negatives (denying access when it should have been granted) and false positives (providing access when it should have been refused).

To ensure the highest level of safety and efficiency while utilising this multi-factor authentication approach, the following precautions should be taken:

maximise protection for the devices in use by doing things like (at a minimum)

Using the Strategies to Reduce Cyber-Incidents' Essential Eight (if applicable)

For optimal security, it is recommended to implement all vendor-recommended hardening measures and provide a visual alert to users whenever a new authentication request is created using their biometric data.

For users who are unable to enrol using biometrics, make sure an additional layer of protection is in place.

Smartcards

A smartcard's private key serves as the second element in this multi-factor authentication system. To use a smartcard, the user must input a PIN or password into the device's software. After a successful unlock of the smartcard, the device's software will utilise the user's private key to sign an authentication request, proving the user's identity. As soon as the authentication service receives an authentication request, it checks the signature to ensure it was generated with the right private key, and either approves or declines the request for access.

Similar to biometrics, the software used to connect with the smartcard might be a security risk with this multi-factor authentication technique. A malicious actor with access to the user's compromised device might, within the bounds of any anti-replay mechanisms, either intercept and replay genuine login requests or start false authentication requests on the user's behalf.

To ensure the highest level of safety and efficiency while utilising this multi-factor authentication approach, the following precautions should be taken:

maximise protection for the devices in use by doing things like (at a minimum)

Using the Strategies to Reduce Cyber-Incidents' Essential Eight (if applicable)

the implementation of any and all vendor-provided hardening recommendations

Check that users aren't keeping smartcards on their gadgets.

Make sure users see a reminder to unlock their smartcard whenever they get an authentication request that needs it, and tell them not to leave their smartcard inserted and unlocked.

Users should be prompted to report missing or misplaced smartcards immediately.

Web-based and mobile-based applications

To provide an extra layer of security, this type of authentication employs a temporary password or PIN issued via a mobile app. Users may sign up for the mobile app by scanning a QR code, entering a phone number, or writing down an email address. This allows the app to provide the user a one-time PIN or password. As part of the login procedure, the user may ask the mobile app to generate a temporary password or one-time PIN. A user presents their credentials to an authentication service, which then determines whether or not to provide the user access to protected resources after confirming the accuracy of the provided data.

Using a second factor that the user already has offers the benefit of reducing the cost of multi-factor authentication for the owner of the system. However, this approach also has a few drawbacks, including:

Many gadgets are not secure, and a device may be hacked by determined and capable opponents, especially while travelling internationally. This is especially true if the device running the mobile app is also being used to browse the web or check email.

To ensure the highest level of safety and efficiency while utilising this multi-factor authentication approach, the following precautions should be taken:

maximise protection for the devices in use by doing things like (at a minimum)

Using the Strategies to Reduce Cyber-Incidents' Essential Eight (if applicable)

the implementation of any and all vendor-provided hardening recommendations

Use the shortest possible time limit for the one-time PIN or password issued by the mobile app.

users should be urged to report the theft or loss of any mobile device running the software, even if it is a personal device, as soon as possible.

Whether through text message, email, or phone call

By sending a one-time password or PIN through text message, email, or phone call, this multi-factor authentication approach adds a second layer of security. A user's phone number or email address is used upon registration to send them a one-time PIN or password. When logging in, the user may ask the authentication service for a temporary password or PIN. A user presents their credentials to an authentication service, which then determines whether or not to provide the user access to protected resources after confirming the accuracy of the provided data.

However, the user's ability to receive a one-time PIN or password may be compromised if the user's location is inside a region where telecommunication networks have reduced service or are completely unavailable.

The security of a one-time PIN or password sent via SMS, email, or voice call may be compromised if the recipient opens the message while using the device for other purposes, such as accessing the internet or reading email. This is especially true for SMS messages sent via voice over IP or internet messaging platforms.

Some gadgets aren't safe, and it's easy for opponents with enough motivation and know-how to get into yours if you take it abroad.

While travelling internationally, it is especially important to be aware that your SMS, email, or phone call may be intercepted by someone who is both motivated and able to do so through a telecommunications network.
To ensure the highest level of safety and efficiency while utilising this multi-factor authentication approach, the following precautions should be taken:

Implementing the Essential Eight from the Strategies to Mitigate Cyber Risk is a good starting point for hardening the devices being used and those receiving second factors.

Problems with Security (if applicable)

Using any vendor-supplied hardening guidance, set the expiration period of the one-time PIN or password sent through SMS message, email, or voice call to the minimum value practicable, and advise users to report the theft or loss of their device, even if it is a personal one, as soon as possible.

Software authentication certificates

As the second piece of proof in a two-factor authentication scheme, a software certificate on a user's device is used. The user's software certificate may be kept in a file, the registry, or the device's Trusted Platform Module (TPM), and the system will try to retrieve it whenever authentication is requested. By using their private key to sign an authentication request, the app on their smartphone helps them prove their identity. As soon as the authentication service receives an authentication request, it checks the signature to ensure it was generated with the right private key, and either approves or declines the request for access.

This technique of multi-factor authentication is insecure since it depends on the user's software and operating system. The programme provides services that an attacker may use to either intercept and replay legal authentication requests or to start fraudulent authentication requests on behalf of the user, up to the limits of any anti-replay mechanisms. To get both authentication elements, an adversary need just compromise the user's device and have a low probability of being discovered. Further, if an attacker manages to get administrative access, they may steal the user's private keys and certificates and use them from their own devices or infrastructure to establish covert, persistent access to the network. Because of this, businesses should only employ software certificates for low-risk transactions or infrastructure.

To ensure the highest level of safety and efficiency while utilising this multi-factor authentication approach, the following precautions should be taken:

maximise protection for the devices in use by doing things like (at a minimum)

Using the Strategies to Reduce Cyber-Incidents' Essential Eight (if applicable)

When following vendor-provided hardening recommendations, users should be alerted visually whenever they are presented with an authentication request for their software certificate.

keep the software certificate in the TPM (if present) or the certificate store (if not) instead of an ordinary file on the device's local storage.

users should be urged to report the loss or theft of any device, personal or otherwise, as soon as possible.