1

Multi Factor Authentication is obviously a lifesaver for passwords, so things that can easily leak (peeking, guessing, stealing, ...). A second/third/... factor of another kind considerably reduces the risk.

This is less obvious for hardware tokens/cards (the "something you have") - they can get lost or stolen, but you usually mean it. Still, having an extra factor helps.

For biometric, the risk is even lower because you either need to correctly bring the factor to the sensor (grabbing an eye or cutting a finger would not usually work), or to kidnap someone for their biometrics and then there is probably much more at stake. A second factor is only, IMO, a nice to have.

What I mean in general is that the nature of the unique factor drives the "absolute need" vs the "nice to have" of consecutive factors.

The above is a reflection of mine and I am not expecting a discussion here (because it is not the nature of this site and the question will be closed as opinion-based), but a reference to either a standard or a good write-up on the topic.

I could not find anything besides the general "you need more factors" (this includes NIST).

WoJ
  • 8,957
  • 2
  • 32
  • 51
  • Are you asking that if the first factor was something you have or something you are, if a second factor is needed? To say another way, if they're only needed because the first factor is so bad? – foreverska May 23 '22 at 14:11
  • @foreverska: yes, and that the level of "badness" of the first factor drives either the *need* or just the "*nice to haveness*" of a second/third/... one. – WoJ May 23 '22 at 14:14
  • Interested to see the answer to that. I'd probably spout something about defense in depth to a client when pressed but that does not a study make. If there were remote attack on the security of a token or phone containing token app a password might just save an account, no matter it's badness. Passwords are often bad, but it takes two very disparate attacks to gain both something one knows and has. – foreverska May 23 '22 at 14:31
  • You are asking for an established risk formula on an undefined subject of risk. You put in controls to reduce risk. You assess the risk and determine how the controls will reduce the risk. I'm not sure that there *can be* a determined formula for logins since you need to account for the impact of threats on the accounts. – schroeder May 23 '22 at 14:45
  • @schroeder: no, I am rather asking about actual studies on MFA because what you usually get is "MFA is important" without a real risk analysis of factors in the context of other factors. – WoJ May 23 '22 at 14:47
  • Yes, just like "a firewall is important" but there are no actual studies on how. There are risk analyses of factors, just not quantifiable. I'm still not sure what you are looking for. – schroeder May 23 '22 at 15:26
  • Zero Trust methodologies are going to create complexity for what you appear to be asking for. They ***definitely*** provide quite a few risk factors to consider, but it is all in *context*. I'm not getting the sense that you have a defined risk context for your question. – schroeder May 23 '22 at 15:27
  • 1
    I'll go back to my original point: MFA is a *control*. Controls mitigate *risk*. You can't have a "this thing mitigates all risks in all contexts in this way" answer.. – schroeder May 23 '22 at 15:29

0 Answers0