You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

DRAFT - DRAFT - DRAFT

The two tables on this page are used to explain our selection of acceptable multi-factor authentication technology for use in assurance profiles.  Table 1 describes commonly used authentication factors and summarizes their resistance to common threats.  Table 2 summarizes Authentication Types or Groups of Types which meet the needs of authentication profiles. 

 

Table 1 - Authentication Factors and Threat Resistance

AuthN Type NumberAuthentication FactorResistance to Threat
Theft
  via Static MITM Phishing		Theft via Dynamic MITM  PhishingGuessing / Offline CrackingMFA Device
 Compromise		User Workstation Compromise
1PasswordLowLowDependsn/aLow
2Phone callLowLowHighLowHigh
3Phone call (VoIP)LowLowMediumLowHigh
4SMSLowLowHighLowHigh
5SMS (VoIP)LowLowMediumLowHigh
6HOTP phone softwareLowLowHighMediumHigh
7TOTP phone softwareLowLowHighMediumHigh
8HOTP tokenLowLowHighHighHigh
9TOTP tokenLowLowHighHighHigh
10HOTP writtenLowLowHighHighLow
11DUO PushHighLowHighMediumHigh
12FIDO U2F token with passwordHighHighHighHighHigh
13PKI device certificate with
  device password		HighHighHighHighMedium
14PKI token certificate wth token
  password		HighHighHighHighHigh

 

 

Table 2 - Authentication Types and Combinations of Authentication Types that meet profile requirements.

The Standard MFA Profile that we are developing now focuses on simple passwords no longer being sufficient in a modern world full of phishing threats.  The Stronger MFA profile column would be for some future work to support an overall higher LoA with corresponding Identity Proofing requirements.  Its helpful to see how the two might differ.

ItemMFA Type Number(s)
from Table 1		Standard MFA Profile (anti-phish - replace
  passwords)		Stronger MFA Profile (could
  support a stronger LoA)
11 and 2-14Yesn/a - see below
212YesYes
313YesNo
414YesYes
51 and 12-14YesYes
  • No labels