DRAFT - DRAFT - DRAFT
The two tables on this page are used to explain our selection of acceptable multi-factor authentication technology for use in assurance profiles. Table 1 describes commonly used authentication factors and summarizes their resistance to common threats. Table 2 summarizes Authentication Types or Groups of Types which meet the needs of authentication profiles.
Table 1 - Authentication Factors and Threat Resistance
| AuthN Type Number | Authentication Factor | Resistance to Threat | ||||
| Theft via Static MITM Phishing | Theft via Dynamic MITM Phishing | Guessing / Offline Cracking | MFA Device Compromise | User Workstation Compromise | ||
| 1 | Password | Low | Low | Depends | n/a | Low |
| 2 | Phone call | Low | Low | High | Low | High |
| 3 | Phone call (VoIP) | Low | Low | Medium | Low | High |
| 4 | SMS | Low | Low | High | Low | High |
| 5 | SMS (VoIP) | Low | Low | Medium | Low | High |
| 6 | HOTP phone software | Low | Low | High | Medium | High |
| 7 | TOTP phone software | Low | Low | High | Medium | High |
| 8 | HOTP token | Low | Low | High | High | High |
| 9 | TOTP token | Low | Low | High | High | High |
| 10 | HOTP written | Low | Low | High | High | Low |
| 11 | DUO Push | High | Low | High | Medium | High |
| 12 | FIDO U2F token with password | High | High | High | High | High |
| 13 | PKI device certificate with device password | High | High | High | High | Medium |
| 14 | PKI token certificate wth token password | High | High | High | High | High |
Table 2 -
| Item | MFA Type Number(s) from Table 1 | Standard MFA Profile (anti-phish - replace passwords) | Stronger MFA Profile (would support a strong LoA) |
| 1 | 1 and 2-14 | Yes | See below |
| 2 | 12 | Yes | Yes |
| 3 | 13 | Yes | No |
| 4 | 14 | Yes | Yes |
| 5 | 1 and 12-14 | Yes | Yes |