Multifactor_Authentication_(MFA)¶
MFA involves the use of multiple factors, such as something you know (like a password), something you have (like a smartphone or a security token), something you are (biometric data like fingerprints or facial recognition), or someplace you are (geolocation data) to verify a user's identity. These factors typically fall into one of four categories:
-
Knowledge Factor(something you know): This factor involves something the user knows, such as a password, PIN (Personal Identification Number), passphrase, or answers to security questions. The user must provide this secret information to authenticate their identity. Knowledge factors are commonly used in traditional username-password authentication systems.
-
Possession Factor(something you have): This factor involves something the user possesses, such as a physical token, a smartphone, a smart card, or a security key. The user must have the physical item to complete the authentication process. Possession factors often involve generating one-time passwords (OTPs) or using cryptographic keys stored on the physical token or device.
-
Inherence Factor(something you are): This factor involves something inherent to the user, typically based on biometric characteristics. Biometric factors include fingerprints, facial recognition, iris scans, voice recognition, or behavioral biometrics like typing patterns or gait analysis. Inherence factors rely on unique physical or behavioral traits to authenticate the user's identity.
-
Location Factor(someplace you are): This factor involves the user's physical location or proximity to a particular device or network. Location factors include GPS coordinates, IP address geolocation, or proximity to a known Bluetooth device. By verifying the user's location, MFA systems can add an extra layer of security by ensuring that the user is accessing the system from an expected or authorized location.
These factors can be used individually or in combination to create a multi-layered authentication process that enhances security by requiring multiple identity proofs. By combining different factors, MFA systems can significantly reduce the risk of unauthorized access, as an attacker would need to compromise multiple factors to impersonate a legitimate user.
Additional Security Controls¶
-
Physical Access Controls: Physical access controls involve mechanisms such as doors with keycards or biometric scanners, security guards, and surveillance cameras. These controls authenticate users based on their physical presence and possessing a valid access token, such as a keycard or biometric data.
-
Procedural Controls: Procedural controls involve documented policies and procedures that govern the authentication process. This can include requirements for users to provide specific forms of identification, follow certain steps to verify their identity or undergo periodic reauthentication.
-
Human Authentication: Human authentication involves interactions with other individuals to verify a user's identity. This can include verbal verification over the phone, in-person verification by a receptionist or security guard, or visual identification by comparing a user's face to a photograph on file.
RFID Cloning¶
Radio Frequency Identification (RFID) is a technology that encodes information into passive tags. When a reader comes within range, it generates an electromagnetic wave that powers the tag, enabling the reader to retrieve the stored information. This technology is commonly used in contactless building access control systems.
RFID cloning and skimming are methods of counterfeiting contactless access cards or badges:
-
Card Cloning: This involves creating one or more duplicates of an existing card. If a card without cryptographic protections is lost or stolen, it can be physically copied. Lost cards should be reported immediately to allow revocation and reissuance. Signs of a successful attack may include card usage in unusual locations or at odd times.
-
Skimming: This method uses a fake reader to capture card or badge details, which are then used to program a duplicate. Certain proximity cards can be easily tricked into transmitting their credentials to a portable RFID reader, which an attacker could discreetly carry.
These attacks typically target basic access cards that transmit static tokens rather than perform cryptographic processing. If access card usage is logged, signs of compromise may include impossible travel patterns or concurrent use at different locations.
How Multi-factor Authentication (MFA) might be implemented in a sensitive compartmented information facility (SCIF) or military installation¶
Access Control Points (ACP): - Entry to the SCIF or military installation is typically controlled through access control points operated by security personnel. - Individuals seeking entry must present identification, such as military IDs or security badges, which serve as possession factors for authentication.
Physical Tokens: - In addition to ID cards or badges, personnel may be issued physical tokens, such as smart cards or RFID tags, which serve as possession factors for authentication. - These tokens are required to access secure areas within the SCIF or military installation and must be presented or scanned at access control points.
Knowledge Factors: - Personnel may be required to input PINs or passwords at access control points or when accessing secure systems or data within the SCIF or military installation. - These passwords serve as knowledge factors for authentication and are typically known only to the individual user.
Security Clearances: - Besides MFA, access to sensitive information within a SCIF or military installation is restricted based on security clearances. - Personnel must undergo background checks and receive appropriate security clearances to access classified or sensitive information. - Access permissions are typically tied to an individual's security clearance level and verified during authentication.
Network and Data Access Controls:
- MFA may also be implemented to access computer networks and sensitive data within the SCIF or military installation.
- Personnel may be required to provide additional authentication factors, such as one-time passwords generated by token devices or authentication apps when accessing secure systems or data.
Why PKI Might Be Used Over MFA¶
Reasons to Use PKI over MFA¶
-
Data Encryption:
- PKI: Provides robust encryption mechanisms that protect data in transit and at rest, ensuring confidentiality and integrity. It is used for encrypting emails, files, and communications.
- MFA: Enhances authentication security but does not provide data encryption.
-
Digital Signatures:
- PKI: Supports digital signatures, which verify the authenticity and integrity of a message, document, or software. Critical for legal documents, software distribution, and secure communications.
- MFA: Does not offer digital signature capabilities.
-
Authentication and Authorization:
- PKI: Used for both authentication and authorization, providing a mechanism to verify the identity of users, devices, and services. It also supports role-based access control.
- MFA: Primarily enhances authentication by requiring multiple verification forms but does not inherently provide authorization capabilities.
-
Secure Email (S/MIME):
- PKI: Enables secure email through protocols like S/MIME, ensuring emails are encrypted and digitally signed.
- MFA: Does not provide email encryption or digital signing.
-
Device Authentication:
- PKI: Authenticates devices and not just users, making it suitable for securing communications between devices in IoT networks, VPNs, and enterprise networks.
- MFA: User-centric and not typically used for device authentication.
-
Non-Repudiation:
- PKI: Digital signatures ensure non-repudiation, meaning a sender cannot deny sending a message. This is important for legal and financial transactions.
- MFA: Does not provide non-repudiation capabilities.
When to Use MFA¶
- User Authentication: This is ideal for securing user logins by requiring multiple verification methods (e.g., password, SMS code, biometric).
- Enhancing Password Security: This technique mitigates the risks associated with password-only authentication by adding extra layers of security.
- Accessibility: Generally easier and quicker to implement for user authentication across various platforms and services.
Conclusion¶
PKI and MFA are complementary technologies rather than mutually exclusive. PKI is used for encryption, digital signatures, and secure communications, making it suitable for scenarios where data confidentiality, integrity, and non-repudiation are critical. On the other hand, MFA is employed to strengthen user authentication and ensure that only authorized users can access systems and data.
RSA Token¶
The RSA SecurID authentication mechanism consists of a "token," either hardware (e.g., a key fob) or software (a soft token), assigned to a computer user. The token creates an authentication code at fixed intervals using a built-in clock and the card's factory-encoded almost random key (known as the "seed"). Each token's seed is different and loaded into the corresponding RSA SecurID server.
RSA tokens are a common possession factor used in Multi-factor Authentication (MFA) systems. Let's explore the benefits:
Portability: RSA tokens are small, lightweight devices that easily fit on a keychain or pocket. This portability makes accessing secure systems or data from different locations convenient for users.
Independence from Network Connectivity: RSA tokens typically generate one-time passwords (OTPs) offline, meaning they do not rely on network connectivity to function. This independence from network connectivity ensures that users can authenticate even in environments with limited or no internet access.
Strong Authentication: RSA tokens generate time-based or event-based OTPs, providing high authentication security. These OTPs are typically valid for only a short period and are not reusable, reducing the risk of unauthorized access through interception or replay attacks.
Ease of Deployment: Deploying RSA tokens within an organization is relatively straightforward. Tokens can be easily distributed to users, and the associated authentication infrastructure can be integrated with existing systems using standard protocols.
One-Time Password (OTP)¶
A one-time code, also known as a one-time password (OTP) or a single-use code, is a temporary authentication code valid for a single use or a short period. One-time codes are commonly used as a second factor in Multi-factor Authentication (MFA) systems to provide an additional layer of security beyond traditional passwords.
Here's how a one-time code typically works:
-
Generation: The one-time code is generated by a trusted authentication server or device using a cryptographic algorithm. The code is unique and unpredictable, making it difficult for attackers to guess or intercept.
-
Delivery: The one-time code is typically delivered to the user through a separate channel or device from the one they use to authenticate. Standard delivery methods include SMS text messages, email, mobile apps, or physical hardware tokens.
-
Authentication: The user enters the one-time code along with their username and password into the authentication interface. The authentication server verifies the code and compares it against the expected value generated during the authentication process.
-
Single Use or Time-Limited: Once the one-time code has been used for authentication or has expired after a set period, it becomes invalid. It cannot be reused for subsequent authentication attempts. This helps prevent replay attacks and unauthorized access.
Privacy¶
Privacy in MFA encompasses the overall handling of user authentication data.
-
Data Minimization: Collecting and storing only the minimum amount of information necessary for authentication purposes, and ensuring that any unnecessary data is promptly deleted.
-
Data Security: Implementing robust security measures to protect authentication data from unauthorized access, including encryption, access controls, and secure transmission protocols.
CAC Privacy¶
When it comes to privacy, the card meets all applicable laws and Geneva Convention requirements, and the data it stores can only be accessed through secure CAC applications.
What a CAC does not contain is sensitive data, such as passwords or personally identifiable medical information.
Photocopying of any U.S. government identification card is a federal violation and is punishable by fine and imprisonment.
There are however, certain circumstances in which a CAC may be scanned or photocopied according to DOD Instruction 1000.13 and DOD Manual 1000.13 Volume 1: When used by federal or governmental agencies to perform official business. When used as proof of identification for insurance claims when seeking medical care.
A CAC contains all of the following: - PKI certificates - Two digital fingerprints - Digital photo - Personal Identity Verification (PIV) certificate - Organizational Affiliation - Agency - Department - Expiration Date