Multi-Factor Authentication for Login Security
Doghouse

As an alternative to passwords, maddog looks at various types of multi-factor authentication, as well as considerations drawn from his experience.
Recently a large, closed source software company announced their operating system would allow the user to opt out of using passwords. They indicated that passwords were difficult to manage (agreed), and many times people forget them or use the same passwords for many accounts (which many people do), so now users will be given the ability to use multi-factor authentication (MFA) to avoid using passwords and instead use some other authentication methods to protect themselves. Sounds great … on the surface.
I already know of people that are using their phones to do MFA. When you log in to some web service for the first time during a login session, a message gets sent to your smartphone to acknowledge that someone is trying to log on to your account and to verify that the person is you.
However, using your smartphone has some issues.
You may not own a smartphone. Many of my friends are (cough) "older" and only have "burner" phones (also known as flip phones) that cannot run applications. Of course, many burners can receive SMS messages and be verified through that. However, MFA using phones puts an extra importance on phones being available all the time. If the phone is unavailable (discharged, lost, stolen), in an area where phones are not allowed (secure areas), or a cell phone signal is not available, then a person might inadvertently be locked out of their accounts.
Important to know is that most of these MFA techniques do not rely on the phone as much as they rely on the International Mobile Subscriber Identity (IMSI) number that is assigned to your SIM card. If your phone breaks down, you can simply take the SIM card out and put it into another phone. If the SIM card is lost, you can report it to the mobile phone company and get a replacement SIM card that will have the same phone number (IMSI) associated. However it may take some time to get a replacement SIM and put it in a new phone.
Another way of doing MFA is using a type of "key" that is available from various companies. These keys (usually small enough to fit on a keychain) are inserted into the USB port of your laptop or phone and/or use NFC to connect with a device as you try to access your accounts (including your login account). Various operating systems as well as various web browsers and cloud-based applications allow these keys to be part of their MFA. Some of these keys are fairly expensive. While this expense may be easily justified from a business perspective, the average person may not want to pay for two (one to use and one to be kept in a secure place as a backup). Of course these keys may be lost or stolen like a phone – therefore requiring a backup key or other MFA path.
Other key types are "smart card"-type devices, which use either contact (needs to be inserted or otherwise scanned) or contact-less NFC technology to verify that the user is physically present. Sometimes these cards have storage on them that can hold details such as health or financial information. Typically these cards are associated with a personal identification number (PIN) to help protect them if lost or stolen. Again, these cards and the management of them can be fairly expensive, and the cards can be damaged relatively easily in adverse environments.
My laptop has both a webcam built in and a fingerprint reader. While both facial recognition and fingerprint recognition have security issues by themselves, when you put them together along with the physical access to a particular device (the laptop, for instance), they can create a much more secure system for logging into that device.
All of these methods, and more, can be used for MFA. One of the problems is, will the user use them? And how complex will it become for people to actually access their systems and data?
A recent webinar on password-less logins" stated: "Join Cybersecurity experts … to discuss why users will be more likely to adhere to security best practices if they are empowered to manage and renew their credentials without your IT team's help."
Right. I remember how much users hated even simple passwords to log in to their systems. The more complicated the system was, the more they needed help. People who need help in adding an application to their smartphone are going to have some issues in setting up MFA to work across their various devices, various websites, and various applications.
FOSSH has the tools (MFA, PAM, SELinux or AppArmor, encryption of filesystems and data, among others) to do this well. It is time to start planning how to use MFA in your community or business.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
News
-
KDE Plasma 6 Looks to Bring Basic HDR Support
The KWin piece of KDE Plasma now has HDR support and color management geared for the 6.0 release.
-
Bodhi Linux 7.0 Beta Ready for Testing
The latest iteration of the Bohdi Linux distribution is now available for those who want to experience what's in store and for testing purposes.
-
Changes Coming to Ubuntu PPA Usage
The way you manage Personal Package Archives will be changing with the release of Ubuntu 23.10.
-
AlmaLinux 9.2 Now Available for Download
AlmaLinux has been released and provides a free alternative to upstream Red Hat Enterprise Linux.
-
An Immutable Version of Fedora Is Under Consideration
For anyone who's a fan of using immutable versions of Linux, the Fedora team is currently considering adding a new spin called Fedora Onyx.
-
New Release of Br OS Includes ChatGPT Integration
Br OS 23.04 is now available and is geared specifically toward web content creation.
-
Command-Line Only Peropesis 2.1 Available Now
The latest iteration of Peropesis has been released with plenty of updates and introduces new software development tools.
-
TUXEDO Computers Announces InfinityBook Pro 14
With the new generation of their popular InfinityBook Pro 14, TUXEDO upgrades its ultra-mobile, powerful business laptop with some impressive specs.
-
Linux Kernel 6.3 Release Includes Interesting Features
Although it's not a Long Term Release candidate, Linux 6.3 includes features that will benefit end users.
-
Arch-Based blendOS Features Cool Trick
If you're looking for a Linux distribution that blends Linux, Android, and web apps together, blendOS might be what you're looking for.