How is "something you have" typically defined for "two-factor" authentication?

Question

A wide range of products claim to offer "two-factor authentication" (c.v. Two-factor authentication - Wikipedia). Most are deployed as "something you have" to be used in addition to a normal password ("something you know"). Some of these "second factors" are as simple as providing a piece of paper with either one-time-passwords or information needed to respond to a simple challenge-response protocol. Others range all the way up to “hard” cryptographic tokens which cannot readily be copied. The latter is e.g. required for the NIST 800-63 (Electronic Authentication Guideline) "Level Of Assurance 4" (aka LOA 4).

For example, would a one-time-password via paper meet NIST's "LOA 3" requirements? How about the various recommendations for banking (e.g. FFIEC), or related requirements from other entities?

I know for a fact that there are still banks in central and eastern Europe that use lists of one time passwords (TANs) as a second login factor or transaction authentication. So at a certain point this method should have been within standard guidelines, they are being phased out though. — john, May 13 '11 at 23:13
@john, that's not saying much - there are some banks that claim to use "Secret Questions" as a 2nd factor... — AviD, May 14 '11 at 22:28
Maybe this is too critical, but typical for whom? In what environment? Typical 'something you have' for a national military organization is likely different from the 'something you have' to login to a corporate VPN. — this.josh, Jun 10 '11 at 01:42
@this.josh Very true. I'm looking for the most authoritative info I can find on how it is defined by the most influential sources: NIST, FFIEC, and whoever else might have one. — nealmcb, Jun 10 '11 at 18:56
I *have* to link to this: https://twitter.com/mattblaze/status/792443648520650752 — kindofwhat, Oct 31 '16 at 15:10

Jeff Ferland · Answer 1 · 2011-06-09T14:35:42.637

10

I started to ask this question to get input before discovering the one. In light of a Magistrate Judge's recommended judgement on PATCO v. People's United (which implies a horrible theory regarding multifactor authentication), I define something you have as this:

What you have must only be compromised by an attacker having physical access to what you have. This excludes:

A password written on a piece of paper (once somebody sees it, they know it)
A cookie stored on your computer
"Security questions" (They are just another password)
Your PGP key kept on a thumb drive if you plug it into a machine that has network access

That said, I would consider a paper list of 100 passwords that have no relation and are each used only once would be considered something you have. A paper list of 100 passwords that might be asked for more than once would not qualify as an attacker would be able to pretend to have access to that credential by monitoring.

Something you have must be something whose integrity can be secured by physical control. Attacks on the other side of the channel such as stealing their authentication database or breaking a cryptographic protocol don't count. If it can be compromised without an attacker's physical interference (or breaking an encryption algorithm as they are integral to demonstrating possession remotely), it is not something you have. ATM cards are a bit fuzzy that way -- a compromised ATM could provide all the track data, though what we usually see are skimmers (physical access). RSA tokens are another that I would consider something you have.

I like smartcards best because placing them in a reader won't expose their secrets, nor would compromise of the authentication database.

edited Jun 09 '11 at 14:35

answered Jun 08 '11 at 19:06

Jeff Ferland

38,090
9
93
171

3

Your conception places considerable restriction on 'something you have' not leaking any information. For example, a cut metal key for a tumbler lock is a traditional 'something you have'. Yet, since the user sees the key they know some attributes of the key: it has five teeth, it is single sided, my key is made by Yale, etc. That information leakage may allow an attacker without access to the physical key to compromise the lock. I believe a thing which meets your definition is very rare. – this.josh Jun 10 '11 at 00:38
2

A key can be secured by physical control. The use of the key does not transmit information (the lock is local), so an attacker's physical interference is required. That meets the standards I defined. That a user can convey all the information about the key, or all the information from a one time password list does not preclude either of them from being something you have. Neither is compromised through their normal usage. – Jeff Ferland Jun 10 '11 at 19:16
Isn't a password written on a piece of paper as physically controlable as a metal cut key for a tumbler lock? – this.josh Jun 12 '11 at 01:00
The difference is that a password is transmitted and can be monitored by remote compromise of the computer. A lock does not send details of the key anywhere. Even if you were standing next to me, it would likely be challenging to describe the key without me being complicit. They both present the same risk of physical theft, but different risks of compromise in use. – Jeff Ferland Jun 12 '11 at 14:49
Passwords are not always transmitted, some are authenticaed locally. Even in enterprise Windows environments credentials are often cached, so not every authentication is transmitted. No one needs to be standing next to a key user. Metal cut keys can be duplicated from photographs take at 195 ft. See [Reconsidering Physical Key Secrecy](http://www.cs.ucsd.edu/~savage/papers/CCS08OptDecode.pdf). – this.josh Jun 12 '11 at 22:23
If you can steal my keys without visual confirmation, physical presence, or really anything coming within a mile of me, you can have a cookie and my concession. – Jeff Ferland Jun 13 '11 at 01:16
I'm not trying to get your concession. I'm trying to make sure I understand the limits of your definition. The point of the original question is that 'something you have' is not well understood. My admitedly slightly adversarial comments are my way of trying to think about the problem. – this.josh Jun 13 '11 at 16:13

score 8 · Answer 2 · answered May 15 '11 at 14:56

8

Re. the question wether a paper based OTP-Solution could fullfill NIST 800-63 Level 3 requirement:

From the source "...

Authentication requires that the claimant prove through a secure authentication protocol that he or she controls the token, and must first unlock the token with a password or biometric, or must also use a password in a secure authentication protocol, to establish two factor authentication. ..."

--> the answer is: Nope! Otoh, this also rules out SMS-based solutions, because nobody can guarantee that the one-time-token cannot be seen without entering a PIN...

Hmm, I guess there will be many foul compromises for that level 3 compliance ... :)

answered May 15 '11 at 14:56

kindofwhat

299
1
2

1

Hmm, this may not be the case, but I'm not sure. The wording of this paragraph is a bit strange, but pay attention to the 'or' part. First of all the claimant must prove that he is in control of the token. This is a requirement for every level, even the 1st. The added thing on the level 3 is that he must *either* use a pin to unlock the token, *or* use a pin while doing the authentication as a second factor. At least this is how I interpret that paragraph. – john May 15 '11 at 15:12
@John: you are right. Whatever " a secure authentication protocol " might be in that case.. Otoh, on p. 34 of the NIST-docu, the different authentication token are described. And this definitely rules out written down TANs. – kindofwhat May 15 '11 at 16:01
1

I just found a very interesting paper on the subject of NIST Levels and mobile phones: http://www.ida.liu.se/~annva/papers/pre-seclevels-vapen-shahmehri-primelife.pdf On section 3 they evaluate severl factors and propose ways to make mobilel phones compliant with different levels. As I read, if certain assumptions hold and can be implemented, Level 3 compliance could be achieved. To sum up, in the usual case, it turns out you are correct: Mobile phones and lists of one-time-passwords are certainly not Level 3 compliant. – john May 15 '11 at 16:27
1

Interesting that after the RSA incident there was a lot people and a fair few self interested vendors writing about the advantages of SMS OTP or soft token on mobile over a hard token mainly due to the ability to quickly update. I have 3 hard tokens on my key chain 2 from banks, one from employer none of them require a pin to see the OTP. Only work one requires pin with OTP to use. On the other hand my iPhone has a strong password to secure SMS OTP and soft token. If Google and Apple make a pin mandatory would that change your mind @kindofwhat ? – Rakkhi May 16 '11 at 14:44
@Rakkhi: Not entirely. There still is the notion of a crypto token. Would you consider a hacked iPhone (with that cool "no PIN hack") or a malware-ladden Droid to be a trustworthy crypto token? – kindofwhat May 16 '11 at 14:51
@kindofwhat you can't forget it is a second factor though. The malware or hacker would still require the password for immediate access. Also the argument that users are far more likely to notice losing their phone rather than a hard token protected by a pin. Thus far at least malware on the iPhone has required user to jailbreak, fair enough Android is different. – Rakkhi May 16 '11 at 15:21
2

Great conversation, @kindofwhat, @john, @rakkhi! Can we get it edited into the answer, which we seem to agree is a bit off-track now with its reasoning? – nealmcb May 16 '11 at 17:21
1

SMS is not a 2nd factor, but it is out-of-band, and that has a different set of benefits. But no, it is definitely not a 2nd factor. – AviD May 18 '11 at 09:36

rook · Answer 3 · 2011-05-14T19:43:08.353

5

Two-factor authentication is a part of the larger family of Multi-factor authentication. This is the defense in depth approach of "Security In Layers" applied to authentication.

Two-factor authentication is not only just "something you have". Choosing any two from these three categories of authentication would be Two-Factor:

Something the user knows (e.g., password, PIN, SSN);
Something the user has (e.g., ATM card, smart card, Key Fob, RFID); and
Something the user is (e.g., biometric characteristic, such as a fingerprint, iris scan).

Two-factor authentication is also common in the non-technical world. Such as having to show your picture id with a credit card purchase. The credit card is what you have and another person can link the name on the card to the face on the drives license with the buyer.

edited May 14 '11 at 19:43

answered May 13 '11 at 23:28

rook

46,916
10
92
181

+1, even though this answer no longer fits the edited question (it did before, though, so thats why the upclick...) – AviD May 14 '11 at 22:30
1

@AviD♦ haha, and now he is linking to the wiki article I modified. Oah internets, how I love thee. – rook May 15 '11 at 01:14
I'm sorry my title originally didn't capture the core of my question, as @scott pointed out on chat. I certainly thought it was useful to give folks a wiki reference. I'm not sure I follow your comment about the internets. We probably could use another question on general multi-factor definitions or issues. – nealmcb May 15 '11 at 05:58
@nealmcb I modified the wiki link you are pointing to to contain information that I posted here. But you might have gotten a better answer if you just re-posted. – rook May 15 '11 at 16:23

score -2 · Answer 4 · answered May 15 '11 at 01:22

-2

My own opinion, but I think "something you have" should have the following characteristics:

the user can easily and immediately detect its absence
it can be rendered ineffective by the issuing authority without requiring possession
possession proves identity

A hardware token would fit these requirements, a one time password would not.

answered May 15 '11 at 01:22

Ben

605
4
11

I agree with the first two. But "possession proves identity" is too dangerous. It should also require a PIN or be used in conjunction with a password or other factor. – nealmcb May 15 '11 at 05:47
@nealmcb you're right, that was the intention with possession proves identity, you want a strong binding capability, something that demonstrates you truly possess it (like a PIN) – Ben May 15 '11 at 14:27
@Ben why a one-time password would not fit these 3 requirements you state? (and what do you mean by one time password, beacause it can be argued that hardware tokens produce exactly such passwords) – john May 15 '11 at 15:37
@john I was referencing @nealmcb password on paper concept. I can easily remove the paper from the user's wallet, copy the password (memorize it, take a picture, write it down etc...) and replace the paper in the wallet. The user is unaware of its absence, specifically that two copies can exist and be equally usable. – Ben May 15 '11 at 16:44
1

Absence is quite different from non-existence of a copy. Requiring a PIN transforms a token into a 2-factor device, which is broader than just "something you have" – nealmcb May 15 '11 at 16:59
OK, I agree with that, but you are talking about forgeability, not easiness to detect absence. The absence of a wallet missing is as easy to detect as a token missing. Forgeability is another thing :-) – john May 15 '11 at 17:06
I would think that something you have should not be able to be rendered ineffective without possession; otherwise the system is vulnerable to attacks on availability (Denial of service). – this.josh Jun 10 '11 at 00:34

How is "something you have" typically defined for "two-factor" authentication?

4 Answers4

Linked