An introduction to Multi-Factor Authentication (MFA)

Jon Spriggs (He/Him)

What is MFA?

Type: Incrementing Counters



First released by Security Dynamics in 1993 [Citation]
Now – 2 Now – 1 Now Now + 1 Now + 2
942870 070618 140504 890059 692790


HMAC-based One Time Passcode (HOTP)

Released by OATH in 2005 as RFC4226

Time-based One Time Passcode (TOTP)

Released by OATH in 2011 as RFC6238, most commonly referred to as “Google Authenticator” codes.

Client Certificates

The workflow of a typical TLS Server and Client Key Exchange in Web Servers (Source: Comodo)

The workflow of a Kerberos sign-in with an x509 client certificate (Source: Microsoft)

Personal Identity Verification (PIV) Smartcards
Also Commercial Identity Verification (CIV) Smartcards

An example of the Department of Defence “Common Access Card” PIV Smartcard. Identified in FIPS 201.

An example of the NHS PIV-style Smartcard.

EMV Smartcards

EMV Chip Authentication Program (CAP) device (Source: Wikipedia)

Hardware Tokens

Other vendors are available

U2F and WebAuthn

U2F was created by Google and Yubico, for the FIDO alliance. The FIDO alliance built on this, and submitted a proposal to the W3C to create WebAuthn, which is now classed as “Recommended” as of 2019.

Yubico OTP

(Source: Yubico)
Bless you

Application Based

What do I use?

Enable MFA


Jon Spriggs (He/Him)

Picture of Jon wearing a Red Hat