An introduction to Multi-Factor Authentication (MFA)

Jon Spriggs (He/Him)

What is MFA?

Type: Incrementing Counters

SMS MFA

RSA SecurID


First released by Security Dynamics in 1993 [Citation]
Now – 2 Now – 1 Now Now + 1 Now + 2
942870 070618 140504 890059 692790

 

HMAC-based One Time Passcode (HOTP)


Released by OATH in 2005 as RFC4226

Time-based One Time Passcode (TOTP)


Released by OATH in 2011 as RFC6238, most commonly referred to as “Google Authenticator” codes.

Client Certificates


The workflow of a typical TLS Server and Client Key Exchange in Web Servers (Source: Comodo)

The workflow of a Kerberos sign-in with an x509 client certificate (Source: Microsoft)

Personal Identity Verification (PIV) Smartcards
Also Commercial Identity Verification (CIV) Smartcards


An example of the Department of Defence “Common Access Card” PIV Smartcard. Identified in FIPS 201.

An example of the NHS PIV-style Smartcard.

EMV Smartcards


EMV Chip Authentication Program (CAP) device (Source: Wikipedia)

Hardware Tokens


Other vendors are available

U2F and WebAuthn


U2F was created by Google and Yubico, for the FIDO alliance. The FIDO alliance built on this, and submitted a proposal to the W3C to create WebAuthn, which is now classed as “Recommended” as of 2019.

Yubico OTP


(Source: Yubico)
Bless you

Application Based

What do I use?

Enable MFA

https://2fa.directory

Thanks!

Jon Spriggs (He/Him)

https://jon.sprig.gs

Picture of Jon wearing a Red Hat