privacyguides.org/docs/security/multi-factor-authentication.md
2022-04-12 01:33:40 +09:30

15 KiB

title description icon
Multi-factor Authentication Using strong MFA can stop over 99% of unauthorized account accesses, and it's easy to set up on the services you already use. material/two-factor-authentication

Multi-factor authentication (MFA, or 2FA) is a security mechanism that requires additional steps beyond entering your username (or email) and password. The most common method are time limited codes you might receive from an SMS or app.

The idea behind MFA is that even if a hacker (or adversary) is able to figure out your password (something you know), they will still need a device you own like your phone (something you have) in order to generate the code needed to log in to your account. MFA methods vary in security based on this premise: The more difficult it is for an attacker to gain access to your MFA method, the better. Examples of MFA methods (from weakest to strongest) include SMS codes, email codes, app push notifications, Time-based One-time Passwords (TOTP), Yubico OTP, and FIDO2 / U2F.

MFA Method Comparison

SMS or Email MFA

Receiving codes either from SMS or email are one of the weaker ways to secure your accounts with MFA. Obtaining a code by email or SMS takes away from the "something you have" idea, because there are a variety of ways a hacker could take over your phone number or gain access to your email without having physical access to any of your devices at all. If an unauthorized person gained access to your email, they would be able to use that access to both reset your password and receive the authentication code, giving them full access to your account.

Push Notifications

Push Notifications take the form of a message being sent to an app on your phone asking you to confirm new account logins. This method is a lot better than SMS or email, since an attacker typically wouldn't be able to get these push notifications without having an already logged-in device, which means they would need to compromise one of your other devices first.

We all make mistakes, and there is the risk that a user may accept the login attempt by accident. Push notification login authorizations are typically sent to all your devices at once, widening the availability of the MFA code if you have many devices.

The security of push notification MFA is dependent on both the quality of the app, the server component and the trust of the developer who produces it. Installing an app may also require you to accept invasive privileges that grant access to other data on your device. An individual app also requires that you have a specific app for each service which may not require a password to open unlike a good Time-based One-time Password (TOTP) app.

Time-based One-time Password (TOTP)

TOTP is one of the most commons form of MFA available. When a user sets up TOTP they are generally required to scan a QR Code which establishes a "shared secret" with the service that they intend to use. The shared secret is secured inside of the authenticator app's data, and is sometimes protected by a password.

The time-limited code is then derived from the shared secret and the current time. As the code is only valid for a short time, without access to the shared secret an adversary cannot generate new codes.

If you have a hardware security key with TOTP support (such as a YubiKey with Yubico Authenticator), we recommend that you store your "shared secrets" on the hardware. Hardware such as the YubiKey was developed with making the "shared secret" difficult to extract and copy. A YubiKey is also not connected to the Internet, unlike a phone with a TOTP app.

Unlike FIDO2 / U2F, TOTP offers no protection against phishing or reuse attacks. If an adversary obtains a valid code from you they may use it as many times as they like until it expires (generally 60 seconds).

An adversary could set up a website to imitate an official service in an attempt to trick you into giving out your username, password and current TOTP code. If the adversary then uses those recorded credentials they may be able to log into the real service and hijack the account.

Although not perfect it is secure enough for most people, and when Hardware Security Keys are not supported TOTP with Authenticator Apps are still a good option.

Hardware security keys

The YubiKey stores data on a tamper-resistant solid-state chip which is impossible to access non-destructively without a expensive processes and a forensics laboratory.

As these keys are generally multi-function and provide a number of methods to authenticate we discuss below the most common ones.

Yubico OTP

Yubico OTP is an authentication protocol typically implemented in hardware security keys. When a user decides to use Yubico OTP, the key will generate a public ID, private ID, and a Secret Key which is then uploaded to the Yubico OTP server.

When logging into a website all a user needs to do is to physically touch the security key. The security key will emulate a keyboard and print out a one-time password into the password field.

The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only only be used once and when a successful authentication occurs the counter is increased which prevents reuse of the OTP. Yubico does provide a detailed document about the process.

![Yubico OTP](/assets/img/multi-factor-authentication/yubico-otp.png)

There are some benefits and disadvantages to using Yubico OTP when compared to TOTP.

The Yubico validation server is a cloud based service, and users do place trust in Yubico that they are storing data securely and not profiling users. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third parties to profile the user. Like TOTP, Yubico OTP does not provide phishing resistance.

If your threat model requires you to have different identities on different websites, do not use Yubico OTP with the same hardware security key across those websites as public ID is unique to each security key.

FIDO2 / U2F

FIDO2 / U2F is the most secure and private form of second factor authentication. While the user experience is similar to Yubico OTP, the key does not print out a one-time password and validate with a third party server. Instead FIDO2 (and U2F) use public key cryptography for authentication.

When a user creates an account the public key is sent to the service. When the user logs in the service will require the user to "sign" some data with their private key. The benefit of this is that no password data is ever stored by the service, so there is nothing for an adversary to steal.

This presentation discusses the history of password authentication, the pitfalls (such as password reuse), and discussion of FIDO2 and WebAuthn standards.

FIDO2 / U2F has superior security and privacy properties when compared to any MFA methods.

Typically for web services it is used with WebAuthn which is a part of the W3C recommendations. It uses public key authentication and is more secure than shared secrets used in Yubico OTP and TOTP methods, as it includes the origin name (usually, the domain name) during authentication. Attestation is provided to protect the user from phishing as it helps them to determine that they are using the authentic service and not a fake copy.

WebAuthn does not use any public ID, so the key is not identifiable across different websites like Yubico OTP. It also does not use any third party cloud server for authentication. All communication is completed between the key and the website the user is logging into. FIDO2 / U2F also uses a counter which is incremented upon use in order to prevent session reuse.

If a website or service supports FIDO2 / U2F for the authentication, it is highly recommended that you use it over any other form of MFA.

General Recommendations

We have these general recommendations:

Which method to use?

When configuring your MFA method, keep in mind that it is only as secure as your weakest authentication method you use. This means it is important that you only use the best MFA method available. For instance, if you are already using TOTP, you should disable email and SMS MFA. If you are already using FIDO2 / U2F, you should not be using Yubico OTP or TOTP on your account.

Backups

You should always have backups for your MFA method. Hardware security keys can get lost, stolen, or simply stop working over time. It is recommended that you have a pair of hardware security keys with the same access to your accounts instead of just one.

When using TOTP with an authenticator app, be sure to back up your recovery keys, the app itself, or copy the "shared secrets" to another instance of the app on a different phone or into an encrypted container (e.g. VeraCrypt).

Initial setup

When buying a security key, it is important that you change the default credentials, setup password protection for the key, and enable touch confirmation if your key supports such feature. Products such as the YubiKey have multiple interfaces with seperate credentials for each one of them, so you should go over each interface and set up protection as well.

Email and SMS

If you have to use email for MFA, make sure that the email account itself is secured with a proper MFA method.

If you use SMS MFA, use a carrier who will not switch your phone number to a new SIM card without account access or use a dedicated VOIP number from a provider with similar security to avoid a SIM swap attack.

MFA tools we recommend{ .md-button }

More places to setup MFA

Beyond just securing your website logins, multi-factor authentication can be used to secure your local logins, ssh keys or even password databases as well.

Windows

Yubico has a dedicated Credential Provider that adds Challenge-Response authentication for the username + password login flow for local Windows accounts. If you have a YubiKey with Challenge-Response authentication support, take a look at the Yubico Login for Windows Configuration Guide, which will allow you to set up MFA on your Windows computer.

macOS

macOS has native support for authentication with smart cards (PIV). If you have a smartcard or a hardware security key that supports the PIV interface such as the YubiKey, we recommend that you follow your smartcard/hardware security vendor's documentation and set up second factor authentication for your macOS computer.

Yubico have a guide Using Your YubiKey as a Smart Card in macOS which can help you set up your YubiKey on macOS.

After your smartcard/security key is set up, we recommend running this command in the Terminal:

sudo defaults write /Library/Preferences/com.apple.loginwindow DisableFDEAutoLogin -bool YES

The command will prevent an adversary from bypassing MFA when the computer boots.

Linux

!!! warning If the hostname of your system changes (such as due to DHCP), you would be unable to login. It is vital that you setup a proper hostname for your computer before following this guide.

The pam_u2f module on Linux can provide two factor authentication for user login on most popular Linux distributions. If you have a hardware security key that supports U2F, you can set up MFA authentication for your login. Yubico has a guide Ubuntu Linux Login Guide - U2F which should work on any distribution. The package manager commands such as "apt-get" and package names may however differ. This guide does not apply to Qubes OS.

Qubes OS

Qubes OS has support for Challenge-Response authentication with YubiKeys. If you have a YubiKey with Challenge-Response authentication support, take a look at the Qubes OS' YubiKey documentation if you want to set up MFA on Qubes OS.

SSH

Hardware security keys

SSH MFA could be set up using multiple different authentication methods that are popular with hardware security keys. We recommend that you check out Yubico's documentation on how to set this up.

Time-based One-time Password (TOTP)

SSH MFA can also be set up using TOTP and DigitalOcean has provided a tutorial How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04. Most things should be the same regardless of distribution, however the package manager commands such as "apt-get" and package names may differ.

KeePass (and KeePassXC)

KeePass and KeePassXC databases can be secured using Challenge-Response or HOTP as a second factor authentication. Yubico has provided a documennt for KeePass Using Your YubiKey with KeePass and there is also one on the KeePassXC website.