{"id":271,"date":"2023-07-25T14:07:12","date_gmt":"2023-07-25T12:07:12","guid":{"rendered":"https:\/\/www.davel.fr\/techblog\/?p=271"},"modified":"2023-07-25T14:11:16","modified_gmt":"2023-07-25T12:11:16","slug":"hot-take-on-password-login-in-mfa-wrong-factor","status":"publish","type":"post","link":"https:\/\/www.davel.fr\/techblog\/2023\/07\/hot-take-on-password-login-in-mfa-wrong-factor\/","title":{"rendered":"Hot take on password login in MFA : wrong factor"},"content":{"rendered":"

(originally posted on https:\/\/dev.to\/davel_x\/hot-take-on-password-login-in-mfa-wrong-factor-35kj<\/a>)<\/p>\n

I was looking at documentation about 2FA, and MFA in general for an application that I'm working on. And I felt something was not totally right when describing the different factors, specifically the Knowledge<\/em> one.<\/p>\n

Let's take the wikipedia (not the best source but not the worst) page as a reference : https:\/\/en.wikipedia.org\/wiki\/Multi-factor_authentication#Knowledge<\/a><\/p>\n

If you read it like me, the password login is on the Knowledge factor.
\nAnd it's not specifically written but Magic Links are supposed to be in the Possession one[\u00b9].
\nEven if it's theorically true I strongly disagree with that. And since we're talking about security, it's important to understand why.<\/p>\n

What is the flow of a magic link ?<\/h3>\n

\"Image<\/p>\n

If you consider that you possess the email account, it's indeeed a Possession factor that we use here. And the security of this flow is as secure as the one of the email account.<\/p>\n

What is the flow of a password login ?<\/h3>\n

\"Image<\/p>\n

And yeah it's indeed a Knowledge factor, case closed !!
\nThanks for listening to my podcast and don't forget to subsc.... HEY WAIT STOP !!
\nIt doesn't happen like that in real life !<\/p>\n

I had a discussion with a DPO recently (so more a legal expert than a tech one) who told me that magic links are less secure than password logins because emails accounts can be hacked.
\nHmmm... ok but have you seen recently a public password login without a password recovery process ?<\/p>\n

Let's make our sequence diagram again. (because Mermaid<\/a> is a very nice tool that I just discovered)<\/p>\n

\"Image
\nAt the last steps the app server can ask the user to login fully again but it's quite the same.<\/p>\n

So what is the difference betweend password login and magic links in terms of security ? Some unuseful steps and reticences about weak passwords[\u00b2].<\/p>\n

My conclusion<\/h2>\n

Password login is both a Knowledge and a Possession factor and I think that, since the recovery can bypass the Knowledge, it should be considered more like a Possession.
\nCombining password login with SMS, Authenticator or email magic link should not be considered as a "multi"-factor authentication. <\/p>\n

Of course I may have missed some arguments, and if you have a different point of view, I'd be glad to read it. :smile:<\/p>\n

[\u00b9] even if there is a debate whether soft tokens should be in this factor
\n[\u00b2] too simple, used on multiple websites, written on a piece of paper or in a .txt file, etc. <\/p>\n

Cover photo by Micah Williams on Unsplash<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

(originally posted on https:\/\/dev.to\/davel_x\/hot-take-on-password-login-in-mfa-wrong-factor-35kj) I was looking at documentation about 2FA, and MFA in general for an application that I’m working on. And I felt something was not totally right when describing the different factors, specifically the Knowledge one. Let’s take the wikipedia (not the best source but not the worst) page as a reference […]<\/p>\n","protected":false},"author":1,"featured_media":274,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[53,54,55,52],"class_list":["post-271","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-divers","tag-authentication","tag-mfa","tag-password","tag-security"],"_links":{"self":[{"href":"https:\/\/www.davel.fr\/techblog\/wp-json\/wp\/v2\/posts\/271","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.davel.fr\/techblog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.davel.fr\/techblog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.davel.fr\/techblog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.davel.fr\/techblog\/wp-json\/wp\/v2\/comments?post=271"}],"version-history":[{"count":2,"href":"https:\/\/www.davel.fr\/techblog\/wp-json\/wp\/v2\/posts\/271\/revisions"}],"predecessor-version":[{"id":273,"href":"https:\/\/www.davel.fr\/techblog\/wp-json\/wp\/v2\/posts\/271\/revisions\/273"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.davel.fr\/techblog\/wp-json\/wp\/v2\/media\/274"}],"wp:attachment":[{"href":"https:\/\/www.davel.fr\/techblog\/wp-json\/wp\/v2\/media?parent=271"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.davel.fr\/techblog\/wp-json\/wp\/v2\/categories?post=271"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.davel.fr\/techblog\/wp-json\/wp\/v2\/tags?post=271"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}