Ric Richardson

@ricricho

Combifactor vs Multifactor Authentication

July 24th 2018

Step up authentication and 2FA makes users feel secure. Being asked to get your phone out and swipe an app feels satisfyingly secure but it also gets tiresome awful quick.

Iris scanning, facial recognition, Yubikeys, FIDO, SMS one time codes, Google Authenticator, PING swipe, TokenOne and on and on. Asking our customers to take “just one more step”, to thumb scan, to swipe an app, to type a onetime sms code, to look up an email all feels like a reasonable ask until it isn’t.

The reality is that consumers and business users resent being asked to jump through more hoops or to learn another authentication procedure. So while the top end of the security spectrum supports more varied and complex authentication flavours, the average user is fighting even the most basic efforts to secure their accounts.

“Frankly, if a bank could use a Facebook logon for authentication they’d grab a load of new customers. Face it. Probably the most abdicated role of modern digital life is a persons online security.”

So if humans are resistant to anything but the most basic security procedures what’s to do?

Security authentication 101 dictates a simple set of factors. “Something you know”, “something you are” and “something you have”. If you combine these with a humans resistance to anything complex you are left with a fairly straightforward dilemma.

How do you take the minimum, most convenient work that a human will undertake and then use technology to amplify that work so that it reaches and surpasses the strength and resilience of the most conscientious attacker?

Enter Combi-factor Authentication.

This hybrid of existing multi factor techniques starts out with the assumption that a human only needs to identify themselves to the device they are using. The first factor. From there on out the device can use all manner of complicated other factors to amplify and combine with the first factor to produce a powerful multi factor authentication. An authentication act that is combined into one action from the users perspective.

In its simplest form this could be a PIN or a simple password.

In my research in the field we at Haventec settled on a combi-factor approach that uses a rolling public key pair system (“something you have”), and device fingerprinting (“another thing you have”) as two different uniquely identifying factors. These very powerful and complex factors are combined with the users “something I know” (their PIN or password) and voila… you have a complex multi-factor authentication that has only asked the user for a PIN or simple password. One simple action that they have been doing for over a decade.

Another side benefit of this approach is that there is no saved PIN, password or even hash on the server side. No compare is ever done. The rolling key pair (where the private key is never stored on the server side) and where the key pairs change every connection means that the system leaves no liability footprint, no hacker honeypot on the enterprise network to attack.

In conclusion combi-factors are the only way to ramp up the complexity of security attack countermeasures without asking humans to jump through more hoops.

Even though combi-factors can come in any flavour (ie device ID’s with biometrics etc etc) we found that a serious advantage was to be had in moving the “something I know” to a supportive rather than primary factor position.

Let me explain. Until today usernames and passwords were the primary identification and authentication factors. Additional factors such as fingerprints or SMS codes or security dongles have always been positioned as secondary factors. The “just in case” extra measure of security.

When complex factors such as key pairs and device fingerprints are used as the primary identity factors, the pressure can be reduced on security surrounding human identifiable factors such as PINs and passwords.

If an attacker has a users PIN but they don’t have the device with the rolling keys then they can’t access the account. Even the efficacy of a simple four digit PIN is hugely amplified when combined with public keys are that are rolled and a device fingerprinting regimen.

For clarity Haventec does support any and all human identifiable factors via plug-in or device capability (ie IOS finger scan and key chain) but this article shows how simple standards used by most people in the world (PIN and Visa card or username and password) can be used in concert with the most powerful and hardened authentication technologies to deliver true high end security without all the fuss.

About the author: Ric Richardson is an inventor who became known for his work on a widely used form of software activation and a controversial 9 year patent litigation with Microsoft. He founded Haventec to leverage rolling public keys for the purpose of Authentication to help make the world more secure for his parents who struggle with anything but the most simple passwords. Haventec is dedicated to providing ever more sophisticated attack vector solutions while simplifying digital life for all users, young, old, sophisticated and not. And to do so for every application from national security and banking on down.

More by Ric Richardson

More Related Stories