MFA - handle with care
2022-12-14
Abstract
The authentication problem is of a very simple nature: we merely wish allow access only to authorised users, and only to the content they are allowed to access. Simple, yet of paramount importance. You wouldn't trust me with nuclear launch codes!
A step forward from classical passwords, Multi-Factor Authentication is paving the way for a secure login experience. However, especially if mishandled, it is still vulnerable to attacks and manipulations: MFA is not a silver bullet. Most notably, in the words of Simon Zurko (1996),
[...] mechanisms and models that are confusing to the user will be misused.
How to build MFA and avoid this? How to choose the multiple factors to use? Are they all reliable?
We will provide a general introduction to authentication and MFA, and then proceed to outline its characteristics. Real-life examples will show us potential weaknesses, but also possible solutions.
Intended audience
This seminar was originally developed for an internal presentation at the Bruno Kessler Foundation (FBK) in Trento, Italy. It is aimed at individuals with a general interest in IT security, who have a basic understanding of concepts (e.g. they know what a password is).