3

Say I have two websites with 2FA mechanisms that are otherwise identical.

Mechanism 1

You have to enter a PIN into your Token Generator in order to retrieve your One Time Password. On the website, you then use your password and the OTP by itself to login.

Mechanism 2

On the other, the OTP is accessible just by physically having the device. On the website you enter your password and then [PIN] + OTP.

I wondered if there was a provable difference in the security provided by these two methods? Are they equal and is it purely a design choice, or are there further considerations to make?

For example, it's clear to me that in Mechanism 2 it's at least possible to have the PIN intercepted electronically. After which, an attacker would just need temporary access to your Token Generator to login. But then, if the attacker is physically local they could probably gain your PIN some other way (CCTV, shoulder surfing etc)

Dan
  • 181
  • 6

2 Answers2

5

In the process of authentication the user enters a password (something he knows) and an OTP value, which was generated by "somehting he owns" - the token generator.

I think you can change the first compoment "something je knows" in this way, that is provides the same security level in mechanism 1 and mechanism 2.

In my opinion it is important to take a look at the possession, "something he owns". So the question is, what kind of OTP generator are you using here? What are the attack vectors for this token generator?

Image you have a hardware token generator, then an attacker needs really physical access to the device. (Let us assume, that the secret key was not compromised during delivery of the hardware).

On the other hand, if you are using a software OTP generator like a smartphone app, the possession might be prone to additional attack vectors. I.e. Imagine the storage of the users smartphone being copied by an attackers rogue program. Then it might be a good idea to use mechanism 1, and use the local smartphone PIN to encrypt the secret in the smartphone storage. This would protect against remote attacks on the smartphone storage - remote attacks on pyhsical hardware or "not possible".

So in my opinion: If you have a real possession factor, one that is not online attackable, you do not need a local PIN.

And: When logging in to the website you do not need Password + PIN + OTP. Two "knowledges" are as good as one knowledge. So simply use Password + OTP.

cornelinux
  • 1,993
  • 8
  • 11
3

I will basically give the same answer as @cornelinux, but from a different angle.

Threat Model

Whenever you're comparing two securing options against each other, you need to first consider the threat models they are protecting against. Only when they are protecting the same thing can you compare apples-to-apples.

PIN on server: here the PIN I'd acting as a second password. (Do you actually gain anything from a second password?)

PIN on device: here you are protecting the OTP from an attacker who has physical access to the device. Essentially this is acting as a second device lock-screen, but one that users can't choose to disable out of convenience.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • it is always a sensible approach to look at the threats and think about (and I like to write down and document this) which remaining threats one is willing to accept! – cornelinux Aug 14 '17 at 08:53