Factors & Dongles & Tokens, Oh My - Strong Auth Terminology in 7 minutes
Web Authentication, security keys, one-time passwords, and the like have been top of mind as increased phishing attacks and rapid explosion of remote work has made stronger security controls critical. However, the terminology around these things often appears intentionally confusing. In this blog, I will attempt to clarify the terms you need to know and explain how they relate to each other.
Two-factor vs. 2-step vs. Multi-factor
2FA / two-factor authentication / second-factor authentication
There’s often some confusion on this term but, to put it simply, two-factor authentication verifies something you know—usually your username and password— along with either “something you have” or “something you are”.
The something you have could be a number of different things: an OTP (one-time password, typically 6-8 digits) from your authenticator app or a key fob, a push verification done through your smartphone, or a USB security key you plug into your computer. Some people also include one-time codes sent to your phone over SMS or by email as two-factor authentication as well but, strictly speaking, those are a form of 2-step verification, as I’ll discuss below.
Two-factor authentication might also verify something you are: a biometric—such as your fingerprint or face—using a phone, computer, or external device.
The difference between two-factor authentication and 2-step verification is nuanced, as explained in this diagram. For example, one-time codes sent via email or SMS are, strictly speaking, 2-step verification, as getting those codes isn’t directly tied to something you have. An attacker can gain access to your email or intercept the SMS (see below).
MFA / multi-factor authentication
Multi-factor authentication simply means verifying multiple (two or more) authentication factors. Two-factor authentication is actually a subset of multi-factor authentication. In high-security, real-world apps, you might require three or more different factors and require that they are different types (“something you know/have/are”).
However, there is also the concept of a multi-factor authenticator (not to be confused with multi-factor authentication). The NIST SP 800-63-3 Guidelines for federal government agencies define different authenticator assurance levels and corresponding allowed authenticator types. It defines a multi-factor authenticator as something you have, which has to be activated by something you know or something you are!
For example, under this definition using a YubiKey FIDO2 token (something you have) would be considered a multi-factor authenticator if it’s configured to also require a PIN (something you know). Another example would be logging into a website using WebAuthn on a MacBook with Touch ID, in which case the built-in platform authenticator (something you have) releases the cryptographic token after verifying your fingerprint (something you are).
You’re unlikely to encounter this multi-factor authenticator definition unless you’re dealing with systems that require NIST SP 800-63-3 defined Authentication Assurance Levels 2 or 3. If you don’t know what those are, consider yourself lucky and don’t worry about it!
Authentication Protocols and Standards
There are a lot of standards and acronyms in the authentication world, so I’ll give a quick rundown of the ones you’re likely to run into.
SMS (Short Message Service) is of course not an authentication protocol, but it’s commonly used to deliver one-time passcodes, especially for consumer applications. Since a significant portion of the population has a personal cell phone, it gives a useful approximation of ‘something you have’—a lowest common denominator second factor, or 2-step verification, if we’re being strict about definitions.
Is SMS-based 2FA secure? Spoiler alert: no. Unfortunately, there are many ways of intercepting SMS codes – both highly technical (like SS7 attacks and SMS-stealing malware) and non-technical (like SIM-swap attacks). Some sites have also implemented SMS in a way that makes it arguably worse than nothing at all.
You should strive to move to stronger options than SMS for all sensitive applications.
- HOTP stands for HMAC-based One-Time Password. This algorithm was mostly used in the mid-2000s for hardware tokens that allowed you to push a button to get a new token code. You’re unlikely to see this today.
- TOTP stands for Time-Based One-Time Password. If you worked in tech in the late ’90s, you’ll remember RSA SecurID key fob tokens (and BlackBerry phones on belt clips). OATH took that same idea of a one-time code that changes every 30 seconds and built TOTP as an open standard. It’s fairly common and is supported by many sites, but there is some confusion as it is called different names, such as ‘authenticator app’. Setup is fairly easy for tech-savvy people, with QR-code based registration flow. Popular authenticator apps include Google Authenticator, Authy, Duo, and Okta Verify. I like using a password manager app like 1Password as a TOTP authenticator as well, as it automatically syncs with all my devices, and I won’t lose access if one device is broken, lost, or stolen—although you could argue this adds a bit more to the keys-to-the-kingdom risk.
Both HOTP and TOTP offer good second-factor security protection against some attacks, like traditional phishing or credential stuffing. However, typing the code into an input box isn’t user friendly and one-time passwords are defeated by more advanced phishing scams, like real-time man-in-the-middle attacks.
The YubiKey USB dongle and Yubico’s own one-time passcode deserves a separate entry, as YubiKeys are very popular.
- Yubico OTP (one-time passcode) improved upon the TOTP six-digit code in a couple of ways. YubiKey USB dongles are plugged into a computer and act as HID devices (basically they look like a keyboard to the computer), which makes entering a one-time code easier, just click on the field and tap the button. The code can also be a lot longer, as you don’t need a human to type it in. I’m sure many of us have seen the accidental YubiKey OTP entries in our chats ccchkuvrnkdvknebdevtbjjceciuhkfcncrknfdkh ...ooops, sorry about that.
However, since Yubico OTP codes are just sprayed into any field the user is in, they are also vulnerable to the same real-time man-in-the-middle attacks as TOTP keys are. Also, each key must be provisioned individually, so it's mostly used by corporations that don't mind the management overhead.
Many YubiKeys can be used in other modes as well in addition to Yubico OTP, including the FIDO modes (see below). This can be both a blessing and a curse as it can get a bit complicated.
Push authentication is one of the easiest, most user-friendly ways to authenticate and has some security advantages. In this model, an authentication request is delivered to the user's registered mobile device over a cloud notification service. Push has two main advantages over SMS: it’s delivered over a more secure channel that can’t be intercepted with SIM-swap attacks, and it’s very easy to confirm the authentication with a tap on your phone or smartwatch.
Familiar examples include Apple two-factor authentication used for iCloud, and Google 2-step verification used for Google applications. Commonly used push authentication applications in corporate settings include Duo and Okta Verify.
Push is a very secure way of authentication, but a user could still fall victim to a well crafted real-time man-in-the-middle attack if they blindly accept every push authentication notification without thinking and verifying. This risk can be mitigated at some loss of convenience by incorporating a code the user has to enter or verify as Apple has done in iCloud authentication.
FIDO is short for Fast IDentity Online. The FIDO Alliance is another open industry association that creates authentication standards, with an aim to reduce the world’s reliance on passwords. FIDO focuses on improving user experience and phishing resistance compared to one-time passcodes.
FIDO was started by Google and Yubico in 2014 when they rolled out passwordless authentication with UAF and second-factor authentication with U2F. These were followed in 2018 by FIDO2 and Web Authentication—often shortened to WebAuthn.
Web Authentication is one of the easiest and strongest modes of authentication available today, and I have written a whole separate article on why it’s great (and not so great).
There are many standards under the FIDO umbrella.
- UAF stands for Universal Authentication Framework. It is meant to provide passwordless authentication for websites, where you can register using your own device as the authenticator with a PIN, fingerprint, or facial recognition for strong multi-factor authentication. You likely haven’t heard of it because nobody has implemented it.
- U2F stands for Universal 2nd Factor. This standard defines using strong authenticators, like security keys, for second-factor authentication on websites. It was not meant to remove passwords, which made it easier for websites to add support for U2F. Most U2F authenticators are security keys connecting over USB, but the standard also allows for NFC (near-field communication) and/or BLE (Bluetooth Low Energy) connection.
- FIDO2 is a newer set of specifications from the World Wide Web Consortium (W3C) and the FIDO Alliance. It includes both WebAuthentication (web APIs for passwordless authentication in browsers) and CTAP protocols.
- CTAP stands for Client to Authenticator Protocol. It describes how authenticators can implement second-factor and passwordless authentication. These authenticators can be built-in to devices like phones and laptops (on-device or platform authenticators), or they can be external ones (security keys or roaming authenticators) connecting over NFC, USB, and/or BLE.
- CTAP1 is just renamed U2F. It provides backward compatibility, so older U2F authenticators like security keys continue to work as second-factor authenticators for sites implementing FIDO2.
- CTAP2 enables you to use the new FIDO2 authenticators not only for second-factor authentication, but also for passwordless and multi-factor authentication.
Image copyright FIDO Alliance
Smart Cards, cards with a chip in them, are everywhere with tens of billions of them in active use. However, the vast majority of these are debit and credit cards, phone SIM cards, national ID cards, and passports, and are not commonly used for online authentication in the private sector. There are exceptions, like Estonia, where Smart Card-based national ID cards are used not only for online voting, but also for bank authentication. In the US, the Federal Government uses PIV cards (Personal Identity Verification) for certificate-based authentication, with the armed services using their version called CAC (Common Access Card).
Which One To Use?
I listed the authentication methods above in rough order of increasing security. So, my simple answer would be: go as far down the list as possible. If you can use U2F or WebAuthn, you’re in great shape.
But what if the only thing available to you is SMS? Well, that’s tricky! Due to the vulnerabilities some sites have around SMS use for authentication and password resets, one can argue that just using a password manager to create strong and globally unique passwords may be safer than SMS. But that’s a whole different discussion!
Thanks for reading and stay safe!