Security of Multi-Factor Authentication by Larry Hamid

Since user authentication is the front line of security, the stronger it is the better. In this article I want to discuss multi-factor authentication and why it is stronger than just a single factor. Proving your identity involves using one or more of three possible factors:

• Knowledge (passwords, PINs, etc.)
• Possession (driver’s license, token, corporate badge, etc.)
• Being (biometric: face, finger, voice, retina, etc.)

You will likely come across conflicting opinions of whether one factor is better than another. For example some people might consider passwords better than biometrics while others will argue the opposite. But who is correct? Is there one factor that is better than all of the others?

The answer is that it really depends on what criteria you are using to measure the authentication mechanism against, and there are many dimensions to consider. For example you could compare biometrics and passwords with respect to accuracy, convenience, ability to share, presence of a live person, usability, susceptibility to replay attacks, and so on. Your choice of what is important will determine which single factor is better than another. Worse still, there can be variations even within a particular factor type. The following diagram illustrates this point.

In the plot above I have chosen convenience and accuracy as measures. You can see immediately that a complex password, say “%SPc_87snwi$”, is more accurate (harder to guess) than a simple password, like “Hello” but you pay the price in convenience. Similar trade-offs occur in biometric technologies. A retina scan is considered to be more accurate than voice recognition but you have to shine a light at the back of your eyeball to provide a sample which is quite a bit more invasive than speaking into a microphone. A DNA sample (using enough markers) is in theory orders of magnitude more accurate but you might have to wait a few days for the results, which I consider a huge inconvenience when logging into your workstation.

With only two measures; accuracy and convenience, there are valid arguments for favoring either factor over the other. Imagine the difficulty in deciding which mechanism is better when you consider a dozen of more different threats.

One thing to realize is that there are advantages and disadvantages among each factor of authentication. No single factor of authentication is perfect. What is interesting is that biometrics and passwords have some very complimentary properties. That is, a weakness in one factor can actually be a strength of the other. This is what makes multi-factor authentication so compelling for security because the effect of combining them creates something much stronger than either factor on its own could possibly attain.

To illustrate this I have chosen a handful of security threats and highlighted the weaknesses and strengths of biometric, password and both combined. A red brick indicates that the method is vulnerable to the corresponding threat and a green brick means it is not.

I have deliberately selected software-based password authentication and a hardware-based (fingerprint) biometric as my two factors in order to more acutely demonstrate their complementary nature with respect to the list of threats. You can see that when they are combined, the resulting two-factor authentication is resistant to all of the listed threats.

If strong authentication is critically important to you I highly recommend multi-factor authentication because it is without a doubt, the best authentication security you can get.

Leave a Comment

Leave a comment

Leave a Reply