DEV Community

Cover image for How Does Multifactor Authentication Work?
Ethan Cox
Ethan Cox

Posted on

How Does Multifactor Authentication Work?

What is multifactor authentication?

As technology improves, cybercriminals gain faster and more efficient attack vectors. Usernames and passwords previously were a perfect way to secure your online accounts, but with a rise in password harvesting and other attacks, two factor authentication cannot secure us anymore. Take your home for example. You wouldn’t trust a screen door and a single lock to secure your home. We take multiple measures by adding layers of security to our homes. Most windows have locks on them, front doors have deadbolts along with the handle lock, and some people even have security systems to deter and catch intruders. Much like our homes, we need more than two measures to secure our online accounts. The additional layer that has become commonplace for authentication is one-time passwords (OTPs). We use either authenticator apps, such as Google Authenticator, or hardware tokens, such as YubiKeys, to secure our accounts. I have personally secured all my accounts with one of these additional layers, and I recommend you do as well. Here we will examine multifactor authentication (MFA) applications and tokens, discuss how they function, and discover which is more secure.


Why use MFA?

Common factors exist among these MFA methods. Both are something you have; you must have them with you to be able to authenticate. Overseas threat actors do not have access to your cell phone (hopefully) or hardware token in your pocket. Going back to the house analogy, the app / hardware token is your house key. You can’t get into your house without the house key or some method to destroy the locks altogether and neither can attackers. Carrying our keys with us protects our homes, and carrying our digital keys with us protects our data. Your other keys, usernames and passwords, are something you know. These are typically saved onto computers, spreadsheets, or password managers and are easily stolen. Having multiple layers to your security is like having a separate key for your door lock and your deadbolt. Even if an attacker steals one of these keys, he still must steal the others to gain access!


Hand holding house keys - Credit to Maria Ziegler

Another beautiful thing about these methods is that the numbers generated are never sent from the server to the client. This creates less of a chance for threat actors to intercept the codes in transit, making these OTP methods more secure than the old methods of OTP. Predecessors to authentication applications and hardware tokens were OTPs sent via text or email from the authenticating server. With modern technology, these could be intercepted or forged quite easily by threat actors. Because the applications and hardware tokens only send data to the server and receive nothing, they are entirely more secure than text or email OTP.


How does it work?

The algorithms used by these MFA tokens are similar in nature. An algorithm is a series of methodical steps to complete a task or achieve a specific outcome. Authentication tokens use either HOTP, HMAC-based One Time Password (RFC 4226) or TOTP, Time-based One Time Password (RFC 6238), algorithms to generate the six-digit codes we enter at an MFA prompt. These algorithms both utilize two values: a seed value and a moving factor. The seed value never changes and is generated when a new account is created on a server, but the moving factor is variable in both algorithms. To discover how this works, we must first investigate HMAC, Hashed Message Authentication Code. HMAC typically uses a hashing algorithm called SHA-1 to randomly generate a 160-bit hash. This is an incredibly long number that would take too long for a human to comfortably enter. Next, the hash is truncated to a 31-bit hash, and the modulo operator is used to create a six-digit integer from the truncated hash. This is the bread and butter of MFA. Each algorithm utilizes HMAC, but the method the 160-bit hash is generated defines the specific algorithm.

HOTP

HOTP generates its hash with an event-based moving factor. The most common MFA method that uses HOTP is a YubiKey. The event that drives the YubiKey’s authentication token is a touch; when a user touches the key, the moving factor is incremented. This completely changes the hash generated by HMAC and creates a unique number for the user to authenticate with. The server also keeps up with a seed and moving factor. A successful authentication event increments the server’s moving factor. By using these events, the server has no need to share its hash value with the token; only the token sends information to the server during the authentication. By the time the token’s value reaches the server, any interception that occurred will be rendered invalid by the time the moving factors on both ends increment.

TOTP

What about TOTP? Instead of an event, this algorithm uses time intervals to increment the moving factor. A prime example of an authentication token that uses TOTP is Google Authenticator. The time interval for this application is 30 seconds. When 30 seconds pass, the moving factor changes and so does the six-digit code. This occurs on both the token device and the authenticating server, creating yet another security measure requiring no communication of keys between the client and server until the user is ready to sign in.



Secured phone on a table - Credit to Dan Nelson

Which is more secure?

Both MFA methods are extremely secure and highly recommended by security professionals, but which one is more secure from threats? To determine this, we must look at three factors: device security, validation window, and code lifespan. First, the authentication device’s security is crucial to the overall security of your accounts. Soft tokens, or applications that generate authentication keys, are typically installed on mobile devices. Threat actors with a user’s passwords typically do not steal authentication devices along with login information, but even if stolen, a cell phone will have a PIN or password protecting it from unauthorized access. Hard tokens, or hardware devices that generate authentication keys, are simple plug and play devices. For example, a YubiKey only needs a person to touch it; anyone could touch and authenticate. Again, the chance of a threat actor having a user’s login information and tracking down the authentication devices tied to it are extremely slim, but they must be considered. Soft tokens are far more secure because they have front facing authentication defending the apps from unauthorized eyes when stolen.

Second, the validation window of MFA methods must be considered. For HOTP, the validation window is greater than that of TOTP. Servers must accommodate for user error when using HOTP; events might be unintentionally triggered on the token device, such as an accidental touch on a YubiKey. The event will increment the moving factor on the client device but not on the server, creating a mismatched key. Servers generate several previous and subsequent keys as a solution. Although it does accommodate for mistakes, a large validation window is also created, meaning that attackers have a great chance to guess the key using brute force, programmatically guessing every possible combination until the correct number is generated (demonstration here). However, if the server did not accommodate for this, HOTP devices would be some of the worst authentication methods because accidental events would render them useless. TOTP devices have a small validation window since the server and client both base their moving factors on time intervals. Despite the slim chance for a time delay, the server only has one code stored on it that must match that of the client. TOTP has a far smaller validation window than HOTP.

The final factor we observe is the lifetime of the key generated. HOTP devices generate a key per event; the key does not change until the next event occurs. Think for a moment about the number of accounts users create and just leave on the internet. Consider the number of accounts you have set to “Remember Me” so you conveniently do not have to reauthenticate every time you use them. Even with HOTP-based authentication set up on these accounts, the key will not change until you reauthenticate. Threat actors could brute force your key during that time. This key lifetime is a critical issue with HOTP. TOTP retains this issue for a smaller period (typically between 30-60 seconds). Attackers basically have less than a minute to brute force your six-digit authentication key before it resets, making TOTP-based authentication more secure than HOTP.


In Conclusion...

Multifactor authentication is essential in today’s digital age. Using just a username and password is no longer best to keep your accounts safe. Whichever method of MFA you choose to use will grant you more security than before. The underlying details show that applications such as Google or Microsoft Authenticator are more secure than security hardware tokens, and the applications are free to download and use. I highly recommend you begin securing your accounts this way if you have not already.

Top comments (0)