5

I was recently asked if MFA was leveraged for authentication on endpoint devices. My gut reaction is that given MFA is something you have, know, are, and you need to have the laptop to log into it and you need to know the password that laptops are inherently MFA. Is this incorrect?

EDIT: I'm realizing that my wording for this question was poor. The question specifically was "Is MFA enabled to login to endpoint devices?" To that point, they're specifically talking about accessing the endpoint device, not things which that device can access.

seePatCode
  • 161
  • 6

3 Answers3

11

In the MFA model, it is understood that the multiple factors come from outside the authenticating process itself. Else all authenticating processes are inherently MFA (itself plus the user's credentials).

So, to the laptop, it does not count itself as a factor. There would need to be more external factors, like biometrics, tokens, one time codes, etc.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • One thing I would note is that it would not make all authenticating processes inherently MFA. The majority of my experience with MFA is leveraging a SaaS or VPNs from an unverified or external device. Those would only be something you know and not something you have. – seePatCode Sep 12 '18 at 18:50
  • 2
    I am not sure what "outside the authenticating process itself" means. How is a particular thing inside or outside? A laptop is not usually used as a second factor because most laptops are not unique; a specially equipped laptop could most certainly be a second factor. – John Wu Sep 12 '18 at 19:08
  • @seePatCode but the fact that you are logging into that SaaS or VPN service is "something you have", which is an account on that service. The same principle would apply. – schroeder Sep 12 '18 at 19:09
  • @JohnWu the fact that you have an account on that authentication system does not make that system a factor. – schroeder Sep 12 '18 at 19:11
  • @schroeder The account you "have" on that service is not actually "something you have". You have no access to that account until after the authentication process is complete; all you have is theoretical ownership of that account, which would need to be proven in some way before it could be used as credentials. – Brilliand Sep 12 '18 at 19:16
  • @Brilliand yes, that's the entirety of my point ... – schroeder Sep 12 '18 at 19:17
  • Why are we talking about accounts now? You can't "have" an account since it is a logical concept. A laptop on the other hand could have physical features, such as a [TPM](https://en.wikipedia.org/wiki/Trusted_Platform_Module), that are verified as part of the authentication process. From that perspective it is as good as a hard token. – John Wu Sep 12 '18 at 19:22
4

Generally, having access to the laptop isn't considered MFA. What would likely be considered a part of MFA is having authenticated access to the laptop.

In the case of logging on to the laptop, every user who attempts to log in will have access to the laptop, so whether you want to consider that access MFA is a bit moot, it doesn't change your threat model.

amccormack
  • 3,971
  • 1
  • 15
  • 23
  • If we're talking about the laptop as a client to some service....and also some unique characteristics which can be determined about the laptop to validate the authentication (such as a client certificate, a list of OTPs in localstorage, a pre-shared secret....) to prove it is **the** laptop rather than **a** laptop. – symcbean Sep 12 '18 at 22:00
  • @symcbean No. What you are talking about is simply data. A client certificate, fancy as it is, is still just a very fancy password with some inherent mathematical properties. One-time passwords can be copied. Pre-shared secrets are simply fixed (as opposed to generated on the fly) one-time passwords, typically with a bit more entropy but still little different in concept. Being data, if it can be read, it can be copied; and to be usable by general purpose software, data *must* be readable at least by that software. Dedicated hardware tokens get around this by having a very limited interface. – user Sep 13 '18 at 09:18
  • Whereas a RSA token uses magic, not data, to generate TOTPs? Fingerprint scanners distort time and space to allow the authentication service to see your fingers rather than just sending *data*? You acknolwedge that it is all data - but how do you measure the interface? Where are the standard requirements published for an acceptable level of interface for a given application? (and what application requirement does the question relate to?) Agreed that the resistance to copying / destruction / abuse varies but to say it is impossible to do second factor without dedicated hardware is bit silly. – symcbean Sep 13 '18 at 10:50
4

The multifactor comes into play because of two or more things that uniquely identify an individual to authenticate are required. The idea is there are multiple parts to authenticating the specific user (you) trying to sign in.

Tim Brigham
  • 3,762
  • 3
  • 29
  • 35
  • Hmm, can you help me understand how a password to the laptop and having the laptop don't classify as uniquely identifying the user? The laptop is unique in and of itself. The password is unique to the user. – seePatCode Sep 12 '18 at 18:11
  • 1
    @seePatCode *"The laptop is unique in and of itself."* No; most likely, it is not. At least not unless you're willing to commit to the laptop holding some secret in some way which is inaccessible to the user, and the user be given a laptop that has been specifically provisioned with a unique secret, and whatever software authenticates the laptop can somehow work with this secret. Otherwise, it's just a piece of software and/or some configuration data, at which point it's just plain old "something you know". Were this not the case, a password manager on a computer would be a second factor. – user Sep 12 '18 at 19:45
  • 1
    Remember that "something you know" doesn't necessarily need to translate to "something which you keep in your brain". It often does, sometimes by proxy (that password manager again), but that's not inherent to the concept. – user Sep 12 '18 at 19:46