Multi-factor authentication

Download ASD Protect Notice Multi-factor authentication (PDF), updated February 2017

Introduction

  1. Multi-factor authentication is one of the most effective controls an organisation can implement to prevent an adversary from gaining access to a device or network and accessing sensitive information. When implemented correctly, multi-factor authentication can make it significantly more difficult for an adversary to steal legitimate credentials to facilitate further malicious activities on a network.
  2. This document has been developed by the Australian Signals Directorate (ASD) to provide guidance on what multi-factor authentication is, different multi-factor authentication methods that exist and why some multi-factor authentication methods are more secure, and therefore more effective, than others. It also discusses how multi-factor authentication is different to multi-step authentication.
  3. ASD recommends that multi-factor authentication be used for all users accessing devices and sensitive information repositories, performing privileged operations, and accessing networks via remote access solutions. Using multi-factor authentication provides a secure authentication mechanism that is not as susceptible to brute force attacks as traditional single-factor authentication methods using passphrases.

Why is multi-factor authentication important?

  1. Adversaries frequently attempt to steal legitimate user or administrative credentials when they compromise a network. These credentials allow them to easily propagate on a network and conduct malicious activities without additional exploits, thereby reducing the likelihood of detection. Adversaries will also try to gain credentials for remote access solutions, including Virtual Private Networks (VPNs), as these accesses can further mask their activities and reduce the likelihood of being detected.
  2. When multi-factor authentication is implemented correctly throughout an organisation, it is significantly more difficult for an adversary to steal a complete set of credentials as the user has to prove they have physical access to a second factor that either they have (eg, a physical token, smartcard or software-based certificate) or are (eg, a fingerprint or iris scan).
  3. When implementing multi-factor authentication, it is essential that it is done so correctly to minimise security vulnerabilities and to avoid a false sense of security that could leave a network vulnerable. For example, when multi-factor authentication is used for remote access solutions in an organisation, but not for corporate workstations, an adversary could compromise the username/passphrase from a device used for remote access and then use it to authenticate either locally to a corporate workstation or to propagate within a network after compromising an initial workstation on the network via spear-phishing techniques. In such a scenario, multi-factor authentication for remote access is significantly better than single-factor authentication but does not negate the requirement for appropriately hardened devices to be used as part of a comprehensive remote access solution.

What is multi-factor authentication?

  1. ASD defines multi-factor authentication as 'a method of authentication that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier.'
  2. The authentication factors that make up a multi-factor authentication request must come from two or more of the following:
    1. something the claimant knows (eg, a personal identification number (PIN)/passphrase or response to a challenge)
    2. something the claimant has (eg, a physical token, smartcard or software-based certificate)
    3. something the claimant is (eg, a fingerprint or iris scan).
  3. The claimant being authenticated may be a person, device, service, application or any other security principal that can be authenticated within the system.
  4. An authentication verifier is an entry point to a confined sub-system where a single technical authentication policy is enforced.
  5. The most common claimants authenticated via multi-factor authentication are users. Common multi-factor authentication methods include user passphrases combined with one of the following:
    1. physical tokens that generate a time-limited one-time PIN/passphrase
    2. biometrics such as a fingerprint or iris scan
    3. smartcards supplied to a reader and unlocked with a PIN/passphrase
    4. apps that generate a time-limited one-time PIN/passphrase
    5. time-limited one-time PIN/passphrase provided via a Short Message Service (SMS) message or voice call
    6. software-based certificates stored on a user's device and accessed using a PIN/passphrase.
  6. If an authentication method at any time offers a user the ability to reduce the number of authentication factors to a single factor it is by definition no longer a multi-factor authentication method. A common example of this is when a user is offered the ability to 'remember this computer' for a public web resource. In such a scenario, a user may be authenticated initially using multi-factor authentication but a token is then set on their device such that subsequent authentications use a single factor (usually a passphrase) as long as the token on their device is accessible and valid. In this scenario, the claimant verified by the token is the user's web browser rather than the user. As such, it violates the requirement for two or more authentication factors to authenticate a single claimant to a single authentication verifier. Furthermore, the token has characteristics more akin to a session token than an authentication factor, which makes it unsuitable for the purposes of authentication.

Multi-factor authentication versus multi-step authentication

  1. A common authentication approach often confused with multi-factor authentication is multi-step authentication. Multi-step authentication is an architectural approach to accessing resources sequentially through multiple authentication verifiers. Each authentication verifier grants access to increasingly privileged areas of the system until access to the desired resources is achieved. Authentication verifiers may be single-factor or multi-factor in nature.
  2. While multi-step authentication may significantly improve the security of a system, it is easier for an adversary to bypass than multi-factor authentication as there is no single point within the system that uses two or more authentication factors to authenticate a single claimant to a single authentication verifier. As a result, an adversary can incrementally compromise a system, gaining ever increasing access while never having to overcome the requirement for multi-factor authentication. For this reason, ASD does not recognise multi-step authentication as being a suitable substitute for multi-factor authentication.
  3. Consider a remote access solution. In this scenario (figure 1), a computer has an Internet Protocol Security (IPsec) certification that authenticates the computer to the VPN concentrator, a user has a passphrase that authenticates them to the VPN concentrator and then a passphrase that authenticates them to the Active Directory (AD) domain.
  4. This scenario demonstrates multi-step authentication; however, there is no multi-factor authentication implemented in this scenario. When authenticating to the VPN concentrator, the user and computer are considered separate claimants, therefore the computer's IPsec certificate and the user's passphrase are not a form of multi-factor authentication. Furthermore, the user authenticates separately to the VPN concentrator and to the AD domain. These authentications take place on different authentication verifiers and fail to use different types of authentication factors; therefore, this approach is also not multi-factor authentication.
  5. Figure 1: Multi-step authentication used within a multi-step architecture
  6. The risk associated with this scenario is that an adversary may be able to compromise the computer's IPsec certificate at one point in time, compromise the passphrase the user uses to authenticate to the VPN concentrator at another point in time and, finally, compromise the user's AD credentials at yet another point in time. In this way the adversary is able to increase their access over time, which increases the level of risk associated with this approach.
  7. Consider a second remote access solution. In this scenario (figure 2), the user is authenticated to the VPN contrator using a passphrase and a PIN/passphrase from a physical token. All other authentication steps are the same as in the previous scenario (figure 1).
  8. This scenario demonstrates a relatively secure remote authentication architecture with a multi-factor authentication method used to authenticate the user to the VPN concentrator. In this case, the computer is authenticated with single-factor authentication in the form of the computer's IPsec certificate. The multi-factor authentication takes place on entry into the remote access environment (using the user's passphrase and one-time PIN/passphrase), which verifies access through to the corporate environment, which remains protected by single-factor authentication in the form of the user's passphrase.
  9. Figure 2: Multi-factor authentication used within a multi-step architecture

Are all multi-factor authentication methods equally effective?

  1. While all forms of multi-factor authentication listed in this document provide significant advantages over single-factor authentication, some methods are more effective than others. Notably, multi-factor authentication is most effective when one of the authentication factors is physically separate from the device from which the user is accessing the system or resource, such as using a physical token rather than a software-based certificate.
  2. To maximise the security effectiveness of any multi-factor authentication method chosen, the following security measures should be implemented:
    1. The authentication service (if a dedicated authentication server) is hardened and isolated from the rest of the network as much as possible. This can be achieved by (at a minimum):
      1. implementing the 'Essential Eight' from ASD's Strategies to Mitigate Cyber Security Incidents (if possible)
      2. applying any specific hardening advice provided by vendors
      3. implementing appropriate network segmentation and segregation to limit the types of network traffic to and from the authentication service to only traffic required for its proper operation, with particular care paid to which devices and users on the network can access the authentication service directly.
    2. The passphrase used for remote access is different to the user's standard passphrase for the network.
    3. Ensuring users do not store a physical token or smartcard with the device used for remote access.
    4. Devices used to receive or generate second factor are hardened as much as possible, this can be achieved by (at a minimum):
      1. implementing the 'Essential Eight' from ASD's Strategies to Mitigate Cyber Security Incidents (if possible)
      2. applying any specific hardening advice provided by vendors.

Common multi-factor authentication methods

Token-based multi-factor authentication

  1. This multi-factor authentication method uses a physical token that displays a time-limited one-time PIN/passphrase on its screen as a second factor. The time on both the physical token and the authentication service are synched and the authentication service knows what PIN/passphrase should be displayed on all physical tokens that it services at a particular time. When the user authenticates with a passphrase and the PIN/passphrase displayed by the physical token, the authentication service verifies that all details are correct for that user and grants or denies access to resources.
  2. For maximum security and effectiveness, the following security measures should be implemented when using this multi-factor authentication method:
    1. the expiry time of the PIN/passphrase displayed on the physical token is set to the lowest value practical
    2. users are instructed to report any lost or missing physical tokens
    3. users know that they should never provide details (such as the serial number and PIN/passphrase displayed) about their physical token unless they are certain it is being requested by their ICT support staff.

Biometric-based multi-factor authentication

  1. This multi-factor authentication method uses biometrics, such as a fingerprint or iris scan, as a second factor. When the user enrols they provide a scan of the appropriate biometric as a reference point for the authentication service to compare to. When the user authenticates they provide a passphrase along with their biometric scan, the authentication service verifies both the passphrase and the biometric with those provided at enrolment, and grants or denies access to resources. It should be noted though, that for every biometric mechanism, due to the wide range of differences between individuals, some of the potential users will not be able to successfully enrol.
  2. There are, however, potential security vulnerabilities in this multi-factor authentication method caused by the fact that biometric characteristics are not secrets, biometric matching is probabilistic rather than deterministic, and there is a reliance on the biometric capture software and the operating system installed on a user's device. If an adversary compromises the user's device and gains elevated privileges, then it is possible for the adversary to use the services provided by the biometric capture software to intercept and replay legitimate authentication requests or initiate fraudulent authentication requests on the user's behalf – within the limitations of any anti-replay measures. Furthermore, the effectiveness of biometric-based authentication is reliant on the quality of the biometric readers/sensors and biometric capture software to ensure that false negatives (denying access when it should be allowed) and, more importantly, false positives (granting access when it should have been denied) provide an appropriate trade-off.
  3. For maximum security and effectiveness, the following security measures should be implemented when using this multi-factor authentication method:
    1. users receive a visual notification each time an authentication request is generated that requires the user to enter their PIN/passphrase, this will enable them to potentially detect fraudulent authentication requests
    2. an alternative authentication method, including supplementary security measures, is implemented for cases where a user cannot successfully enrol using the biometric mechanism.

Certificate-based smartcard multi-factor authentication

  1. This multi-factor authentication method uses a private key stored on a smartcard as a second factor. Software installed on a user's device prompts the user to also provide a PIN/passphrase to unlock the smartcard, and then verifies their identity using the private key stored on that smartcard. When the smartcard is successfully unlocked, the software installed on their device assists the user to verify their identity by signing an authentication request with the user's private key. The authentication service then verifies that the authentication request is signed by the valid and correct private key, and grants or denies access to resources.
  2. Like biometric-based multi-factor authentication, this multi-factor authentication method has a potential security vulnerability due to a reliance on the smartcard software and the operating system installed on a user's device. If the user's device is compromised and an adversary gains elevated privileges, they can use the services provided by the smartcard software to intercept and replay legitimate authentication requests or initiate fraudulent authentication requests on the user's behalf – within the limitations of any anti-replay measures.
  3. For maximum security and effectiveness, the following security measures should be implemented when using this multi-factor authentication method:
    1. users receive a visual notification each time an authentication request is generated that requires the user to enter their PIN/passphrase, this will enable them to potentially detect fraudulent authentication requests
    2. the Certification Authority's keys are adequately protected (eg, stored in a Hardware Security Module (HSM)) and backups of the keys are physically secured and stored offline
    3. users do not leave their smartcards inserted and unlocked in the reader, contactless smartcard readers can be used to enforce this control
    4. storage and functionality on the smartcard is minimised as much as possible
    5. smartcards that have completed an ASD Cryptographic Evaluation are utilised
    6. users are instructed to report any lost or missing smartcards as soon as practical.

App-based multi-factor authentication

  1. This multi-factor authentication method uses a time-limited one-time PIN/passphrase provided via an app as a second factor. When the user enrols they provide a phone number, instant message identity or an email address so that a time-limited one-time PIN/passphrase can be provided to them via an SMS message, instant message, voice call or email to register the app. During the logon process the user requests the app to provide them with a PIN/passphrase in order to complete the authentication process. The user then provides this information to the authentication service, which verifies that all details are correct for that user and grants or denies access to resources.
  2. The advantages of this multi-factor authentication method is that it uses a second factor that the user already has and therefore minimises the cost to the system owner; however, there are also a number of disadvantages, namely:
    1. use of devices for web browsing may mean that the device running the app may no longer be secure
    2. many devices are not secure and a device can be compromised by motivated and competent adversaries, particularly when travelling overseas.
  3. For maximum security and effectiveness, the following security measures should be implemented when using this multi-factor authentication method:
    1. the expiry time of the PIN/passphrase provided via the app is set to the lowest value practical
    2. users are instructed to report the theft or loss of any device running the app, even if it is a personal device, as soon as practical.

SMS, instant message or voice call-based multi-factor authentication

  1. This multi-factor authentication method uses a time-limited one-time PIN/passphrase provided via an SMS, instant message or voice call to a device as a second factor. When the user enrols they provide the phone number or instant message identity of their device so that a time-limited one-time PIN/passphrase can be provided to them to register. During the logon process the user requests that the authentication service provide them with a PIN/passphrase in order to complete the authentication process. The user then provides this information to the authentication service, which verifies that all details are correct for that user and grants or denies access to resources.
  2. The advantages of this multi-factor authentication method is that it uses a second factor that the user already has and therefore minimises the cost to the system owner; however, there are also a number of disadvantages, namely:
    1. telecommunication networks can have degraded service or no service at all, which may affect the availability of the system
    2. use of devices for web browsing may mean that an SMS, instant message or voice call containing the PIN/passphrase may no longer be secure, particularly when SMS are delivered via VoIP or internet messaging platforms
    3. many devices are not secure and a device can be compromised by motivated and competent adversaries, particularly when travelling overseas
    4. telecommunication networks do not provide end-to-end security and an SMS message, instant message or voice call may be intercepted by motivated and competent adversaries, particularly when travelling overseas.
  3. For maximum security and effectiveness, the following security measures should be implemented when using this multi-factor authentication method:
    1. the expiry time of the PIN/passphrase provided via an SMS message, instant message or voice call is set to the lowest value practical
    2. users are instructed to report the theft or loss of their device, even if it is a personal device, as soon as practical.

Software-based certificate multi-factor authentication

  1. This multi-factor authentication method uses software-based certificate stored on a device as a second factor. When the user wishes to authenticate, the system attempts to access the user's software-based certificate, which is stored in a file, in the registry or in the Trusted Platform Module (TPM) of their device. If successful, the software installed on their device assists the user to verify their identity by signing an authentication request with the user's private key. The authentication service then verifies that the authentication request is signed by the valid and correct private key, and grants or denies access to resources.
  2. The security vulnerability in this multi-factor authentication method is due a reliance on the software and the operating system installed on a user's device. If an adversary compromises the user's device, then it is possible for the adversary to use the services provided by the software in order to intercept and replay legitimate authentication requests or initiate fraudulent authentication requests on the user's behalf – within the limitations of any anti-replay measures. By compromising the user's device, an adversary can gain access to both authentication factors easily with a low likelihood of detection. There is also the additional risk that if an adversary can gain elevated privileges, the user's keys and certificates can be stolen from their device and used by the adversary from their own devices or infrastructure to enable prolonged and difficult to detect remote access to a network. For this reason, it is recommended that organisations only use software-based certificates for low-risk transactions or systems, and never for authentication via a remote access solution.
  3. For maximum security and effectiveness, the following security measures should be implemented when using this multi-factor authentication method:
    1. users receive a visual notification each time an authentication request is generated that requires the user to enter their PIN/passphrase, this will enable them to potentially detect fraudulent authentication requests
    2. store the certificate/keys in the device's TPM (if present), otherwise the certificate/keys should be stored in the device's certificate store rather than in a regular file on the device's local storage
    3. users are instructed to report the theft or loss of their device, even if it is a personal device, as soon as practical.

Further information

  1. The Australian Government Information Security Manual assists in the protection of official government information that is processed, stored or communicated by Australian Government systems. ASD's Strategies to Mitigate Cyber Security Incidents complements the advice in the ISM.
  2. Additional information on hardening devices can be found in the following ASD publications:
    1. Risk Management of Enterprise Mobility including Bring Your Own Device (BYOD)
    2. iOS Hardening Configuration Guide for iPod Touch, iPhones and iPads
    3. Hardening Microsoft Windows 7 SP1 Workstations
    4. Hardening Microsoft Windows 8.1 Update Workstations

Contact

Australian government customers with questions regarding this advice can contact ASD Advice and Assistance.

Australian businesses and other private sector organisations seeking further information should contact CERT Australia.