How Secure are MFA-Protected Accounts (related to MITM)?

Get Started. It's Free
or sign up with your email address
Rocket clouds
How Secure are MFA-Protected Accounts (related to MITM)? by Mind Map: How Secure are MFA-Protected Accounts (related to MITM)?

1. MFA protects generally against password attacks

2. MFA of all sorts is generally better than no MFA or any sort

3. FIDO ("Fast IDentity Online")

3.1. FIDO separates users Verification from Authentication

3.1.1. Authentication is the technical process of establishing an identity with a service

3.1.2. Verification is the confirmation that the identity belongs to the human in front of the device

3.2. FIDO uses Authenticators which checks the user's identity, before executing authentication using pre-registered public/private key pairs

3.2.1. Platform Authenticators: e.g. Trusted Platform Module in laptop

3.2.2. Roaming Authenticators: USB stick, NFC keyfob, Mobile App with biometrics

3.3. Modalities: Verify user precense and Verify user

3.4. Original protocols: U2F (MFA) and UAF (Passwordless Auth)

4. FIDO2 (newest set of specifications)

4.1. FIDO2 = CTAP2 + WebAuthn

4.2. Authentication: WebAuthn (W3C standard since March 2019)

4.3. Verification: CTAP is the Client to Authenticator Protocol

4.3.1. CTAP1 = U2F

4.3.2. CTAP2 contains extensions to passwordless external authenticators

4.4. Updated and extensions of the original FIDO protocols

4.5. Designed to flexible depending on use case

4.6. Channel binding is the idea that FIDO tokens can be bound to a specific TLS channel.

5. Man-in-the middle (MITM)

5.1. Standard MFA & MITM

5.1.1. Factors

5.1.1.1. Out of band

5.1.1.2. Biometric

5.1.1.3. Device / token

5.1.2. Variants

5.1.2.1. One-Time Password (OTP)

5.1.2.2. Time-based OTP

5.1.2.3. Push MFA

5.1.3. Standard (non-FIDO) MFA variants do not protect safely against MITM/phishing attacks, BUT they severely limit the attackers freedom of movement.

5.2. FIDO MFA & MITM

5.2.1. Channel binding can be applied to FIDO assertions. Assertions are signed on the client side.

5.2.2. FIDO with full channel binding implementation protects against phishing.

5.2.3. If the TLS channel binding cannot be used, then at least apply it to your cookies.