2022-04-08
On the ordering of password and MFA challenges during login
Suppose that you have a system where to log in or authenticate, people must both have a password and pass a MFA challenge. In some such systems, you can choose whether the MFA challenge or the password comes first (for example, this is generally the case with SSH because both passwords and MFA are usually done in PAM). When this came up for us in our move from Yubikeys to MFA, I thought about it a bit and decided that passwords should come first.
SSH logins are a somewhat unusual environment because the server starts out knowing the login name. In environments such as web single sign on, you often don't start out knowing the login name, so it's natural to gather the login and the password together, then go to MFA. If your MFA is selective, it's possible that you need to authenticate the user before you have information available on whether MFA is even on; your MFA environment may not handle being sent a non-MFA user to check. So you may be forced to verify passwords first by the requirements of the software or system.
But if you do get to choose, my view is that you should put passwords first (and then stop if password authentication fails). The problem with putting MFA first is that you're providing attackers with the ability to spam your users with MFA challenges delivered to their devices, and possibly setting off rate limits and 'this login should be temporarily disabled' things in your MFA system (or your MFA provider, if you've outsourced this). In some environments, this is not even an actual determined attacker but instead some automated script that's probing accessible systems on the Internet with a canned list of login names. Needless to say, you don't want to give random people on the Internet the ability to spam your people with MFA challenges.
The argument for doing it the other way around is to block password guessing attacks. If you check passwords first, an attacker can determine if they have the right password by whether or not they get an MFA challenge; once they have the password right, they can fire up their MFA attack for only a single authentication run. If you force people to first pass the MFA challenge, life is more difficult for the attacker who wants to attack or verify passwords.
For systems that are generally visible and generally open to probing, I come down strongly on the side of passwords first because of the issue of MFA spam. For internal systems that already have very limited access, I guess you can make an argument for MFA first. But if they have limited access and low usage, perhaps you should leave passwords first and have alarms trigger if there's any probing of them worth mentioning.