Doghouse

Recently a large, closed source software company announced their operating system would allow the user to opt out of using passwords. They indicated that passwords were difficult to manage (agreed), and many times people forget them or use the same passwords for many accounts (which many people do), so now users will be given the ability to use multi-factor authentication (MFA) to avoid using passwords and instead use some other authentication methods to protect themselves. Sounds great … on the surface.

I already know of people that are using their phones to do MFA. When you log in to some web service for the first time during a login session, a message gets sent to your smartphone to acknowledge that someone is trying to log on to your account and to verify that the person is you.

However, using your smartphone has some issues.

You may not own a smartphone. Many of my friends are (cough) "older" and only have "burner" phones (also known as flip phones) that cannot run applications. Of course, many burners can receive SMS messages and be verified through that. However, MFA using phones puts an extra importance on phones being available all the time. If the phone is unavailable (discharged, lost, stolen), in an area where phones are not allowed (secure areas), or a cell phone signal is not available, then a person might inadvertently be locked out of their accounts.

Important to know is that most of these MFA techniques do not rely on the phone as much as they rely on the International Mobile Subscriber Identity (IMSI) number that is assigned to your SIM card. If your phone breaks down, you can simply take the SIM card out and put it into another phone. If the SIM card is lost, you can report it to the mobile phone company and get a replacement SIM card that will have the same phone number (IMSI) associated. However it may take some time to get a replacement SIM and put it in a new phone.

Another way of doing MFA is using a type of "key" that is available from various companies. These keys (usually small enough to fit on a keychain) are inserted into the USB port of your laptop or phone and/or use NFC to connect with a device as you try to access your accounts (including your login account). Various operating systems as well as various web browsers and cloud-based applications allow these keys to be part of their MFA. Some of these keys are fairly expensive. While this expense may be easily justified from a business perspective, the average person may not want to pay for two (one to use and one to be kept in a secure place as a backup). Of course these keys may be lost or stolen like a phone – therefore requiring a backup key or other MFA path.

Other key types are "smart card"-type devices, which use either contact (needs to be inserted or otherwise scanned) or contact-less NFC technology to verify that the user is physically present. Sometimes these cards have storage on them that can hold details such as health or financial information. Typically these cards are associated with a personal identification number (PIN) to help protect them if lost or stolen. Again, these cards and the management of them can be fairly expensive, and the cards can be damaged relatively easily in adverse environments.

My laptop has both a webcam built in and a fingerprint reader. While both facial recognition and fingerprint recognition have security issues by themselves, when you put them together along with the physical access to a particular device (the laptop, for instance), they can create a much more secure system for logging into that device.

All of these methods, and more, can be used for MFA. One of the problems is, will the user use them? And how complex will it become for people to actually access their systems and data?

A recent webinar on password-less logins" stated: "Join Cybersecurity experts … to discuss why users will be more likely to adhere to security best practices if they are empowered to manage and renew their credentials without your IT team's help."

Right. I remember how much users hated even simple passwords to log in to their systems. The more complicated the system was, the more they needed help. People who need help in adding an application to their smartphone are going to have some issues in setting up MFA to work across their various devices, various websites, and various applications.

FOSSH has the tools (MFA, PAM, SELinux or AppArmor, encryption of filesystems and data, among others) to do this well. It is time to start planning how to use MFA in your community or business.