Strengths and Weaknesses of MFA Methods Against Cyber Attacks: Part 1
Administrators and end-users of a multi-factor authentication (MFA) product like Duo’s face a variety of options for how to authenticate. Each method has distinct tradeoffs of convenience, user experience, and security.
In this first blog of a three-part series, we’ll define four categories of authentication methods encompassing a broad array of device types. In future blogs, we will discuss identity threats facing MFA users and how to choose the best methods to protect yourself and your organization.
Background: MFA methods
MFA requires that users present multiple pieces of evidence, or factors, proving their identity. These factors typically belong to one of three types:
Knowledge (“something you know”): Memorized information like a password
Possession (“something you have”): A physical device that the user has access to
Inherence (“something you are”): A biometric indicator like a fingerprint
Most commonly, a password (knowledge factor) is combined with a second authentication method representing one or more additional factors. We’ll categorize the methods supported by Duo in the following ways.
| Authentication Type | Variant | Example Device |
|---|---|---|
WebAuthn-Based |
Platform Authenticator |
Laptop With Touch ID |
WebAuthn-Based |
Roaming Authenticator |
Yubikey Security Key |
Push-Based |
Push |
Phone With Duo Mobile App |
Push-Based |
Verified Push |
Phone With Duo Mobile App |
Token-Based |
Software Token |
Phone With Duo Mobile App |
Token-Based |
Hardware Token |
Duo D-100 Token |
Telephony-Based |
SMS Passcode |
Phone |
Telephony-Based |
Phone Call |
Phone |
WebAuthn-based methods
Factor type(s): possession (computer, phone, or security key), usually paired with inherence (biometric) or knowledge (passcode)
WebAuthn, or Web Authentication API, is a standard for securely authenticating users using public key cryptography. Users register their device and receive credentials from a server like duosecurity.com. These credentials can then be used to authenticate, without the need for a password. Because the credentials cannot be used on sites other than their origin (e.g. on fake webpages like bad-duosecurity.com), WebAuthn-based authentication is said to be phishing-resistant.
Some WebAuthn-based authenticators, known as platform authenticators, are integrated into device hardware and operating systems and confirm user identity using biometrics such as iOS Touch ID, iOS Face ID, or Windows Hello. Many platform authenticators additionally support syncing WebAuthn credentials, known as passkeys, across multiple devices. Other WebAuthn-based devices, such as Yubikey security keys, are roaming authenticators and must be physically plugged into the device where a user is authenticating.
Push-based methods
Factor type(s): possession (phone with authenticator app installed), sometimes paired with knowledge (numeric code)
In push-based authentication, users receive a push notification on their phone when they try to log in on another device. They can review authentication details in a mobile app (such as Duo Mobile) and confirm or deny the authentication. The push notification typically happens out-of-band (i.e., on a different communication channel) from the login device, which makes it harder for attackers to tamper with the authentication.
Duo offers two options for push-based authentication. A Duo Push is an ordinary push in which a user confirms or denies authentication via the Duo Mobile App. A Verified Duo Push adds additional security by presenting a numeric code in the login prompt, which must then be entered in Duo Mobile when confirming the push. Both Duo Push and Verified Duo Push transmit the user’s response securely using an HTTPS connection.
Token-based methods
Factor type(s): possession (security token), or knowledge (passcode generated by the token)
In token-based authentication, a hardware device or software application is used to generate a single-use passcode, which must be entered into the login prompt to proceed. The Duo Mobile app can serve as a software token, while third-party hardware and software tokens of various types may also be registered with Duo.
The security properties of tokens depend on the algorithm used to generate the passcodes. The HMAC-based One-Time Password (HOTP) algorithm generates passcodes that expire only after they have been used, which opens the door to attackers stealing the codes and using them later. By contrast, the Time-Based One-Time Password (TOTP) algorithm produces passcodes that expire after a short time, which adds some extra security.
Telephony-based methods
Type: possession (phone with registered phone number), or knowledge (a passcode from SMS)
SMS (Secure Message Service) passcode and phone call authentication are methods that allow users to authenticate using their phones, without any specialized hardware or software. SMS passcodes work similarly to token-based authentication methods, except that the single-use passcode is transmitted as a text message to the user’s phone. In phone call authentication, the user receives an automated call and confirms the authentication by pressing a key on the phone.
The ubiquity of mobile phones makes telephony-based authentication a popular choice for many organizations. However, communications via cell networks may be less secure than other methods, leading to a risk of MFA interception.
What’s next
Now that we understand the ways that MFA users can authenticate, we can examine how each of these methods stands up to specific cyber threats. The next blog in this series will discuss some of the most common threats affecting MFA and how the different authentication methods can protect against attacks.