DRAFT - DRAFT - DRAFT
The two tables on this page are used to explain our selection of acceptable multi-factor authentication technology for use in assurance profiles. Table 1 describes commonly used authentication factors and summarizes their resistance to common threats. Table 2 summarizes Authentication Types or Groups of Types which meet the needs of authentication profiles.
Table 1 - Authentication Factors and Threat Resistance
AuthN Type Number | Authentication Factor | Resistance to Threat | ||||
Theft via Static MITM Phishing | Theft via Dynamic MITM Phishing | Guessing / Offline Cracking | MFA Device Compromise | User Workstation Compromise | ||
1 | Password | Low | Low | Depends | n/a | Low |
2 | Phone call | Low | Low | High | Low | High |
3 | Phone call (VoIP) | Low | Low | Medium | Low | High |
4 | SMS | Low | Low | High | Low | High |
5 | SMS (VoIP) | Low | Low | Medium | Low | High |
6 | HOTP phone software | Low | Low | High | Medium | High |
7 | TOTP phone software | Low | Low | High | Medium | High |
8 | HOTP token | Low | Low | High | High | High |
9 | TOTP token | Low | Low | High | High | High |
10 | HOTP written | Low | Low | High | High | Low |
11 | DUO Push | High | Low | High | Medium | High |
12 | FIDO U2F token with password | High | High | High | High | High |
13 | PKI device certificate with device password | High | High | High | High | Medium |
14 | PKI token certificate wth token password | High | High | High | High | High |
Table 2 -
Item | MFA Type Number(s) from Table 1 | Standard MFA Profile (anti-phish - replace passwords) | Stronger MFA Profile (would support a strong LoA) |
1 | 1 and 2-14 | Yes | See below |
2 | 12 | Yes | Yes |
3 | 13 | Yes | No |
4 | 14 | Yes | Yes |
5 | 1 and 12-14 | Yes | Yes |