An introduction to Multi-Factor Authentication (MFA)
Jon Spriggs (He/Him)
What is MFA?
Type: Incrementing Counters
First released by Security Dynamics in 1993 [Citation]
|Now – 2
||Now – 1
||Now + 1
||Now + 2
HMAC-based One Time Passcode (HOTP)
Released by OATH in 2005 as RFC4226
Time-based One Time Passcode (TOTP)
Released by OATH in 2011 as RFC6238, most commonly referred to as “Google Authenticator” codes.
The workflow of a typical TLS Server and Client Key Exchange in Web Servers (Source: Comodo)
The workflow of a Kerberos sign-in with an x509 client certificate (Source: Microsoft)
Personal Identity Verification (PIV) Smartcards
Also Commercial Identity Verification (CIV) Smartcards
An example of the Department of Defence “Common Access Card” PIV Smartcard. Identified in FIPS 201.
An example of the NHS PIV-style Smartcard.
EMV Chip Authentication Program (CAP) device (Source: Wikipedia)
Other vendors are available
U2F and WebAuthn
U2F was created by Google and Yubico, for the FIDO alliance. The FIDO alliance built on this, and submitted a proposal to the W3C to create WebAuthn, which is now classed as “Recommended” as of 2019.
What do I use?
|Jon Spriggs (He/Him)