When it comes to Cyber Sec the old saying runs true - You shouldn’t put all your eggs in one basket.
Sometimes that advice is ignored, with very poor outcomes - such as a basket full of broken eggs. In the world of Cyber Security this advice is particularly important, and is precisely why all expert opinion converges on recommending multi-factor authentication. If one basket gets compromised, you still get an egg for breakfast.
Another manifestation of the same principle arises in the context of preventing any single point of failure throughout the entire system. An agile attacker will quickly identify such a weakness and ruthlessly go after it, whether it be on the client side or the server side. And clearly it’s in an attacker’s interest to go after that component that yields them the most. Compromise a client and the attacker gets unfettered access to their account. Compromise a server and the attacker potentially gets unfettered access to everyone’s account - yet in the world of authentication any weakness on the server side is often overlooked. As long as the client’s experience is two-factor, then all will be well. (We noticed this attitude quite starkly in a recent twitter exchange: Us: Not all 2FA systems are created equal. Them: That’s simply not true.)
The classic server-side hack on username/password is the capture of the password file. However even two-factor schemes such as industry-leader FIDO have a serious server-side vulnerability that we pointed out in an earlier Blog (“FIDO – that Dog won’t Hunt”). It was only a matter of time before such a vulnerability were exploited. And the recent hack of Duo as deployed by Solarwinds with catastrophic consequences has highlighted the damage that can be done –https://www.bbc.co.uk/news/technology-55368213
At first glance it’s hard to imagine how an attack like this one - which results in unfettered admin access to the authentication server - can fail to lead to a complete break, as long as the attack goes undetected. Problem is that the authentication server often is that basket full of all of our eggs.
Here at MIRACL we take a different approach. There must be no single point of failure throughout the entire system, not just at the client end. In our M-Pin product we achieve this by completely separating client registration from client authentication, which actually is a very natural thing to do. The distributed client registration service (the DTA – distributed trust authority – no single point of failure here either) issues client secrets, so that the server does not have to maintain any kind of client credential database. The DTA is not involved in subsequent authentications which take place solely between client and server.
If our authentication server is hacked, admin access is achieved, and all of its internal secrets are revealed. However because the server holds no information related to client secrets (only the DTA and the clients themselves know that) this does not result in a complete collapse of security. Of course we would expect to pay some price for such a powerful attack. In fact our system falls back from being two-factor to one factor. But the line holds – the attacker still does not have enough information to authenticate as a genuine client. The attacker still remains one factor short of a complete break.
So in response to our twitter friend: No, not all 2FA systems are created equal.
Dr Michael Scott is Chief Crypto Officer at MIRACL, one of the pioneers of Pairing-based Cryptography and the “S” in the widely used BLS and KSS families of elliptic curves. Following a distinguished career of almost 30 years at Dublin City University and an active consultant to both public and private sector, his unmatched depth in knowledge is drawn not only from his academic expertise - he’s published over 100 highly cited papers – but his genuine love of cryptography and the science behind this.