0

For example Microsoft Outlook web based email service can be configured to require both a username/password combination and a time-based one-time password (TOTP) generated by the algorithm described in RFC 6238. This will frequently be implemented in software applications, TOTP's from something like google authenticator or oathtool and the username/password in a password management tool such as KeePass. These tools could either be on the same device or on different devices.

From a users point of view these seem really similar, as in you have a bit of software protected by a device password (and perhaps another different one depending on the setup) that gives a secret that is entered into a text field on a web site. It would seem that the threat profile of both are similar, both being susceptible to either physical or remote compromise.

Does this meet the definition of multi-factor authentication? Does the answer depend on if the tools are on one device or 2 different devices?

User65535
  • 121
  • 3
  • This has been asked several times in various ways here: the answer is that the "factors" are not about what the *user* experiences, but that the *authentication system* requires. Putting a password in a physical safe that requires biometrics to open does not mean that Outlook now has biometric security. – schroeder May 23 '22 at 11:37
  • I am sorry if this has been asked, the best I found was [this one](https://security.stackexchange.com/questions/175657/is-using-desktop-2fa-clients-like-authy-desktop-a-good-practice), which said it is better but does not address if it counts as MFA. If you link to one that addresses the question then of course this can be marked duplicate. I thought the core distinction of MFA is that it must be susceptible to different threats, if say a single act of compromising a device can break both methods then it is not MFA. – User65535 May 23 '22 at 11:49
  • It has nothing to do with the user-side threats. The *factors* of *authentication* are viewed by the authenticating service. – schroeder May 23 '22 at 11:51

0 Answers0