DRAFT - DRAFT - DRAFT
The two tables on this page are used to explain our selection of acceptable multi-factor authentication technology for use in assurance profiles. Table 1 describes commonly used authentication factors and summarizes their resistance to common threats. Table 2 summarizes Authentication Types or Groups of Types which meet the needs of authentication profiles.
This is one way to view the issues. Many more rows and columns would be possible depending on what is needed to support the profiles.
Table 1 - Authentication Factors and Threat Resistance
AuthN Type Number | Authentication Factor | Resistance to Threat | ||||
---|---|---|---|---|---|---|
Theft via Static MITM Phishing | Theft via Dynamic MITM Phishing | Guessing / Offline Cracking | MFA Device Compromise | User Workstation Compromise | ||
1 | Password | Low | Low | Depends | n/a | Low |
2 | Phone call | Low | Low | High | Low | High |
3 | Phone call (VoIP) | Low | Low | Medium | Low | High |
4 | SMS | Low | Low | High | Low | High |
5 | SMS (VoIP) | Low | Low | Medium | Low | High |
6 | HOTP phone software | Low | Low | High | Medium | High |
7 | TOTP phone software | Low | Low | High | Medium | High |
8 | HOTP token | Low | Low | High | High | High |
9 | TOTP token | Low | Low | High | High | High |
10 | HOTP written | Low | Low | High | High | Low |
11 | DUO Push | High | Low | High | Medium | High |
12 | FIDO U2F token with password | High | High | High | High | High |
13 | PKI device certificate with device password | High | High | High | High | Medium |
14 | PKI token certificate wth token password | High | High | High | High | High |
Table 2 - Authentication Types and Combinations of Authentication Types that meet profile requirements.
The Standard MFA Profile that we are developing now focuses on simple passwords no longer being sufficient in a modern world full of phishing threats. The Stronger MFA profile column would be for some future work to support an overall higher LoA with corresponding Identity Proofing requirements. Its helpful to see how the two might differ.
Item | MFA Type Number(s) from Table 1 | Standard MFA Profile (anti-phish - replace passwords) | Stronger MFA Profile (could support a stronger LoA) |
---|---|---|---|
1 | 1 and 2-14 | Yes | n/a - see below |
2 | 12 | Yes | Yes |
3 | 13 | Yes | No |
4 | 14 | Yes | Yes |
5 | 1 and 12-14 | Yes | Yes |