0

Is there a best practice or rule of thumb for the impact of introducting two-factor authentication on the required entropy of a used password?

Say we consider 80 bits of entropy to be sufficient for passwords of a specific system. If we introduce a second factor (something you have) does this lower the entropy required for this password?

JFB
  • 1,685
  • 3
  • 13
  • 11
  • 1
    Please don't use entropy as a measure of password complexity. It is flawed because the quality of human-selected passwords is not well-modelled by statistical entropy, but instead by psychological factors. For example, "q1w2e3r4tr5yt6u7i8o9p0" has fairly high information entropy when measured independently, but common keyboard patterns like this are well known and quickly cracked in practice. – Polynomial Mar 13 '19 at 11:29
  • I was not talking of human-selected passwords, but randomly generated passwords, where you can measure the entropy based on the recipe used by the password generator. – JFB Mar 13 '19 at 13:57

1 Answers1

1

Lowering password complexity requirements after introducing a 2nd factor for authentication has no benefits. If you increase security in one place, just to lower it in another place you're just wasting your time. And in the case that one of your users loses their token/smartcard/2nd factor to an attacker, that attacker would have a weaker system to attack, therefor raising his/her chances to breach the system*.

The goal of multi-factor authentication is to make it even harder/more expensive for an attacker to circumvent your authentication process.

So the "best practice" for 2FA in your case is to not lower the already established minimum requirements. A 2nd factor should be treated as an addition to the system's security, not as a substitution.

*If we set aside rate limiting, IDS/IPS, account lockout, etc. for a second.

SeeYouInDisneyland
  • 1,428
  • 9
  • 20