The shift from "two factor" to "multi-factor" authentication

April 29, 2021

While I wasn't paying attention, something interesting happened to authentication terminology; what was once called "two factor authentication" has now become "multi-factor authentication", or at least people now mostly talk about MFA instead of 2FA. Some sources will say that there's a difference between MFA and 2FA, while others consider MFA to just be the new name for 2FA (see, for example, how the PCI standard shifted to using "MFA").

Most of my exposure to 2FA and MFA comes from people talking about specific systems to do this. My impression and memory is that in the old days, the 2FA systems that people talked about were always based around specific tokens or items; you might have a 2FA system with Yubikeys or another one using RSA security tokens (or SMS text messages with authentication codes). The modern MFA systems I've been exposed to promise to authenticate users with a second factor somehow, but they have multiple options for the second factor; the university's chosen MFA system supports either an on-phone application or an OTP hardware token.

If people's model of '2FA' systems was that they were tied to a specific second factor or required a hardware second factor, then I can imagine that the rise of the smartphone made this a less and less attractive thing over time. My memory is that the first wave of using cellphones and smartphones for additional authentication was SMS text messages or calls, which are now considered not a good idea because they're too easy to intercept (cf). The second wave used various one-time password apps on your smartphone (which were sometimes interchangeable, for instance if they implemented RFC 6238 TOTP). When I got my smartphone I installed several such OTP apps, but never actually used any of them. At the time these seemed to be called two-factor authentication apps.

(I have a memory of reading arguments over whether an OTP app on your smartphone really counted as a 'second factor' for various reasons that I've now mostly forgotten.)

The modern smartphone app approach seems to be a custom application that interacts with a vendor specific backend network service in private ways. Microsoft has one, Duo has one, and so on, and presumably the end result is more secure than TOTP authenticators for various reasons. It certainly promotes more vendor lock-in (and more apps on your phone). But as demonstrated by the university, organizations don't (or can't) stop with only smartphone based authentication; they want the additional possibility of authentication through hardware tokens. So we get MFA systems that support multiple additional factors for authentication, depending on what the solution supports, what the person is enrolled for, and what they choose for any specific authentication attempt.

(Even with smartphones I believe most systems allow you to enroll more than one device.)

In any case, this shift in terminology from "two-factor" to "multi-factor" authentication is one that I find personally interesting, partly because it happened behind my back. Whether or not there's a real difference between them, it feels like they mean somewhat different things, with "multi-factor" being broader than "two-factor", and the shift itself is a sign that how people think about the whole area has changed. We've moved out to a wider and more complicated universe of authentication, one with more choices and probably more confusion.

PS: It's possible that these special MFA smartphone apps also require you to authenticate yourself to them with a fingerprint or some other biometric method that the device supports. With a password added, this would theoretically give the system a three-factor authentication; knowing the password, having your phone, and being the person with the right fingerprints.

Comments on this page:

By James (trs80) at 2021-04-30 04:07:32:

OTP apps on a smartphone are arguably not a second factor when used to log into another app on the same smartphone (unless protected by biometrics), since the thing you have is not distinct. Modern OTP apps can use push notifications which is good since you can't clone the OTP key but less good since they are proprietary protocols and you have to use the MFA provider's app.

Beyond MFA but including it is variously called conditional access (M365) context-aware access (Google), adaptive authentication (Duo) which allows or denies or prompts for MFA based on other conditions, such as location (by IP address, Tor endpoint), device (BYOD or company-owned and managed, AV installed, phone has a passcode) and application.

Written on 29 April 2021.
« Firefox's slow takeover of the address bar's space
There's plenty of our work that's not being done from home »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu Apr 29 00:21:50 2021
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.