Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Labeling of "multi-factor" is confusing #1984

Open
utsecnet opened this issue Dec 18, 2020 · 1 comment
Open

Labeling of "multi-factor" is confusing #1984

utsecnet opened this issue Dec 18, 2020 · 1 comment

Comments

@utsecnet
Copy link

utsecnet commented Dec 18, 2020

63b 4.3.1 states at the first bullet point that within AAL3, a multi-factor cryptographic device (MFCD) is allows as a sole device to provide authentication to a verifier. However, these types of devices only transmit one factor to the verifier. You are simply unlocking that factor with a second factor. This is like taking your house key and putting it in an exterior safe box that requires a code combination to retrieve the key. Does this make your home a 2-factor protected home? No!

If you look at the difference in comparison to using A SF crypto device (SFCD) together with memorized secret the unlock process looks like this:

  1. Claimant authenticates by providing the verifier with a password (1 factor)
  2. Verifier sends a challenge to the authenticator (SFCD) via API.
  3. Authenticator signs the challenge and returns the signed assertion to the verifier via the browser (2 factor).

In that example, the verifier is requiring reception of both factors before authentication is permitted. If we look at the MFCD process it looks like this:

  1. swipe your finger/enter PIN on your MFCD
  2. That action unlocks the crypto key (the verification happens on the device, not the verifier!)
  3. Crypto key sent to the verifier, which then grants access (Only one factor is sent to the verifier!)

Why is this permitted? Is my reasoning wrong?

@Lacy420
Copy link

Lacy420 commented Oct 28, 2023

You better hope you didn't leave this house

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants
@utsecnet @Lacy420 and others