MFA, Passwordless and Phishing Resistance are all terms we are hearing more and more lately. MFA usage has nearly doubled since 2020 according to Okta’s recent Secure Sign in trends report discussed here Unfortunately there is a lot of confusion around what these terms and more basic ones like Factors and Authenticators actually represent. This post aims to help this.
- An Authenticator is how the end-user authenticates.
- An Authenticator is a credential owned or controlled by an end user.
- A secret phrase, instance of a mobile app, access to an email account or device.
- An Authenticator can have multiple Authentication Methods.
- A phone number can be called or receive an SMS
- Okta Verify can display a TOTP, receive a push notification or be used for FastPass.
Authenticators have a Factor Type that can be defined by
- something the user knows – a knowledge factor
- something the user has – a possession factor
- something the user is – an inherence factor
True multi-factor means satisfying at least two distinct factor types.
Password + Security Question is not true MFA as it is two knowledge factor types.
A password is just an authenticator, it can be substituted for any other. Passwordless just means not using passwords as an authenticator.
According to NIST, phishing resistance requires that the channel being authenticated is cryptographically bound to the output of the authenticator. In more simple terms, this means that the domain (address) of the website you are signing in to is tied to your authenticator, to ensure that your authenticator won’t issue your credentials to a fake phishing web page.
Phishing resistant authenticators leverage three major properties to work:
- No shared Secrets – A credential key-pair is cryptographically signed and the private key is stored in a hardware security module.
- Origin Bound – A credential key-pair is tied to a specific domain mitigating the threat of phishing
- Trusted – Authenticator attestation helps verify the public key is from a trusted authenticator.
For more details on phishing resistance refer to Phishing Resistance and why it matters.