1

It is an established fact that the error message of login pages should not specify wether the password or the id is the problem.

But for an application with multi factor authentication, should we ask for another factor only when the login/pass couple is correct or every time, only to send a message "authentication failed" if either one is incorrect.

The classic option is in my opinion better UX, as you do not make the user reach for his phone, usbkey, or whatever is his second factor.

The always ask on the other hand prevent an attacker to verify if he got the good password.

So the question is : should we ask every factor every time or only after the previous one is validated?

Nota : for the SMS kind of multi factor, the sending of the sms in case of existing username but wrong password is debatable but please do not take it into account, as it would broaden needlessly the question.

Sefa
  • 1,744
  • 1
  • 9
  • 16
  • Most systems I've seen don't tell you which one is wrong. They just tell you that something did not work and ask you to try again. Some of the SMS tokens will be time based anyway so they won't have to receive another token, they can reuse the existing one. – sir_k May 24 '18 at 10:11
  • Related: https://security.stackexchange.com/questions/162637/two-factor-authentication-why-ask-for-password-first – Anders May 24 '18 at 10:32
  • should depend on how many factors you have. – Krrish Raj May 24 '18 at 12:28

0 Answers0