Understanding Multi-Factor Authentication (MFA)
What is MFA?
Multi-Factor Authentication is a security mechanism that requires users to provide two or more independent credentials before accessing a system:
Something You Know: Passwords or PINs.
Something You Have: Physical devices like hardware tokens.
Something You Are: Biometrics like fingerprints or facial recognition.
The goal of MFA is to enhance security by combining factors that are independent of each other, reducing the risk of unauthorized access.
Hardware Security Tokens vs. Smartphones in MFA
Hardware Security Tokens
Standalone devices like Crayonic Badge and Crayonic KeyVault, Yubikeys, or smart cards.
They comply with NIST definition of Multi-Factor Cryptographic Device: A hardware device that contains a protected cryptographic module requiring activation through an additional factor.
Certified Secure Elements: Incorporate tamper-resistant hardware for key storage (e.g., FIPS 140-2 Level 2 or Common Criteria EAL 4+ or higher).
Independent Factors: Require a PIN, ideally entered directly on the token to prevent capturing, ensuring "something you have" and "something you know" are separate and secure. Compromising keys in certified secure element without PIN is very complex and remote exploits are unfeasible altogether.
High Assurance Levels: Recognized for achieving the highest security standards, such as NIST's Authenticator Assurance Level 3 (AAL3).
Smartphones
Utilize apps that generate one-time passwords or push notifications i.e. MS Authenticator, Authy etc.
Phone's Secure Element: Leverage the device's built-in security hardware if one is available.
Potential Overlap of Factors: The device (something you have) and the PIN or biometric (something you know or are) are on the same device where malware can potentially compromise factor independence and worse, network connectivity exploits may even execute zero-click MFA access on behalf of user.
Variable Assurance Levels: Generally meet lower assurance levels like NIST's AAL1 or AAL2, depending on implementation.
Unlike tokens, not all smartphone based MFA approaches are phishing resistant, select smartphone MFA authenticators carefully!
Compliance Standards and Regulations
1. NIST (National Institute of Standards and Technology)
Reference: NIST Special Publication 800-63B
Hardware Tokens: Meet Authenticator Assurance Level 3 (AAL3), requiring hardware cryptographic modules and multi-factor authentication.
Smartphones: Typically meet AAL1 or AAL2, as they are more susceptible to malware and may not ensure factor independence.
Compliance Advantage: Hardware tokens offer higher assurance, making them preferable for complying with NIST guidelines.
2. NIS2 Directive (EU Network and Information Security Directive)
Reference: NIS2 Directive Text
Hardware Tokens: Align with the directive's emphasis on state-of-the-art security and robust measures.
Smartphones: May require additional justifications in risk assessments to be considered adequate.
Compliance Advantage: Hardware tokens demonstrate a higher commitment to security, aiding compliance with NIS2.
3. OWASP (Open Web Application Security Project)
Reference: OWASP Multifactor Authentication Cheat Sheet
Hardware Tokens: Recommended due to strong security properties and independent factors.
Smartphones: Acceptable but with caution due to potential risks like malware and factor overlap.
Compliance Advantage: Hardware tokens align closely with OWASP's best practices.
Security Considerations
Advantages of Hardware Security Tokens
Physical Isolation: Separate from general-purpose devices and offline, reducing attack surfaces.
Tamper Resistance: Certified secure elements protect against physical tampering.
Malware Resistance: Not susceptible to common malware targeting smartphones.
Independent Factors: PIN entry on the token ensures very high factor independence.
Disadvantages of Smartphones
Malware Risk: Smartphones are common targets for malware, which can compromise authentication factors.
Factor Dependence: Device and PIN or biometric may not be fully independent.
Physical Compromise: Lost or stolen devices can be exploited to bypass security measures.
Rooting/Jailbreaking: Compromised devices may not provide secure environments for authentication at all.
Advantages of Hardware Security Tokens for Compliance
Higher Assurance Levels: Meet stringent standards like NIST AAL3.
Regulatory Preference: Often required or preferred in highly regulated industries.
Enhanced Security: Provide robust protection against a wide range of attacks.
Independent Factors: Ensure true multi-factor authentication by keeping factors separate.
When Smartphones May Be Acceptable
While hardware tokens are superior in compliance and security, smartphones may suffice in lower-risk scenarios or when additional security measures are implemented:
Enhanced Device Security: Using Mobile Device Management (MDM) to enforce security policies.
Secure Application Development: Leveraging the device's Secure Enclave or Trusted Execution Environment.
Additional Authentication Factors: Implementing out-of-band authentication methods i.e. utilize BLE and NFC.
Other: Using hardened OS. Eliminating push messages from unknown sources like SMS.
Conclusion
Hardware security tokens comply with MFA requirements better than smartphones due to their higher assurance levels, strong factor independence, and enhanced security features. They align more closely with compliance standards set by organizations like NIST, the European Union under NIS2, and OWASP. While smartphones offer convenience, they often fall short in providing the robust security required for handling sensitive data in compliance with stringent regulations.
References
NIST SP 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management
NIS2 Directive (EU Network and Information Security Directive)
OWASP Multifactor Authentication (MFA) Cheat Sheet
FIPS 140-3 Standard (Security Requirements for Cryptographic Modules)
Comments