TIIME 2018: What to best use as 2nd Factor to deploy on a large scale
(Lukas Hämmerle)
Situation:
You have an IdP with several 10-100k users. You want to offer 2nd-factor authentication to the user. Not all users need 2nd factor authentication. Identity-vetting is out of scope.
The 2nd factor should be:
- Cost effective (cheap)
- Easy to deploy
- Easy to use for end user
- With a reliable recovery processes (in case a user loses 2nd factor)
Known 2nd factors:
- One-Time-Password (Time-based, Hmac-based, challenge-based, on paper, via SMS as Mobile TAN):
- Mobile ID (SIM card-signed SMS)
- Yubikey
- Voice TAN (OTP via landline or mobile phone)
- Software X.509 certificate
- Hardware X.509 certificate
- One Time Token with hardware device
- App (TiQR) on registration you use QCR code
- App with push approval
- Sound-proof (Futurae) with mobile app recording sound generated by PC speaker
- OTP sent via Email (HAKA, Salesforce)
- National Citizen ID (signing timestamp like with Austrian Bürgerkarte)
- Touch ID (iOS)
- Chip TAN (Banks)
- Duo Security
- Remembering Pictures
- FIDO/U2F
- Vicinity of a certain device (i.e. Apple Watch) via Bluetooth
- ….
Statements:
- OTP is easy to use, cheap, it’s standardized (RFC, open-source implementation)
- Technology used should last at least 5-6 years as technology develops (e.g. no USB on mobile phone -> bad for Yubikey)
- Rolling out mobile based 2nd factor might not be ideal from security point of view if user is also using mobile to access service and if mobile device is compromised
- It might be needed to support multiple mechanisms as one method might not work for all users (SURCconext e.g. supports Yubikey, SMS and TiQR, which is the most used)
- Choosing 2nd factor generally depends on the risk to address/problem to solve
- Authentication might need to be just a tick better than the rest to make you less attractive for an attacker
- Whatever one chooses, it’s probably useless if targeted by a national agency (e.g. Mossad), so be pragmatic and keep it simple and user-friendly
- OTP methods might even work on old Nokia phones (or a PC), so less dependent on smart phone.
- Ease-of-Use (registration, deployment, support) of 2nd factor is key for adoption
- Recovery process could also involve friends/buddies (Skype is doing something like this)