...
AuthN Type Number | Authentication Factor | Resistance to Threat | ||||
---|---|---|---|---|---|---|
Theft via Static MITM Phishing | Theft via Dynamic MITM Phishing | Guessing / Offline Cracking | MFA Device Compromise | User Workstation Compromise | ||
1 | Password | Low | Low | Depends | n/a | Low |
2 | Phone call | Low | Low | High | Low | High |
3 | Phone call (VoIP) See note | Low | Low | Medium | Low | High |
4 | SMS | Low | Low | High | Low | High |
5 | SMS (VoIP) See note | Low | Low | Medium | Low | High |
6 | HOTP phone software | Low | Low | High | Medium | High |
7 | TOTP phone software | Low | Low | High | Medium | High |
8 | HOTP token | Low | Low | High | High | High |
9 | TOTP token | Low | Low | High | High | High |
10 | HOTP written (back up codes) | Low | Low | High | High | Low |
11 | DUO Push | High | Low | High | Medium | High |
12 | FIDO U2F token with password | High | High | High | High | High |
13 | PKI device certificate with device password | High | High | High | High | Medium |
14 | PKI token certificate wth token password | High | High | High | High | High |
Note: VOIP is distinguished from other types of phone due to it typically being protected by a single password. It may be worth distinguishing "institutional VOIP service" from "personal VOIP service". In the former case it's much more likely that the VOIP system is protected by the same password as that used for the "first factor" of authentication.
Table 2 - Authentication Types and Combinations of Authentication Types that meet profile requirements.
...