Authenticator Types🔗
This section covers the different types of authentication factors that are available and their security considerations. Each type is divided into the following categories:
| Factor Definition | Types | Example |
|---|---|---|
| Something you know | A value that a user remembers | Memorized Secret |
| Something you have | The possession of a unique value | lookup Secrets, Out-of-Band Devices, Single and Multi Factor OTP Devices and Single and Multi-factor Cryptographic Software or Device |
| Something you are | A physical attribute of a user that is unique to them | Biometric |
Something you know🔗
🧠 Memorized Secrets🔗
🔶 Definition: A secret value intended to be chosen and memorized by the user
🔶 Example:
- Passwords
- Security Questions
Password
Note
Password security checklist can be found here
Security Questions
Danger
Security questions should NOT be used as it is considered RESTRICTED in NIST SP 800-63B 5.1.1.2
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: Security questions are not used as an authentication factor Reason: Weak form of authentication as the value can be easily guessed | High | Brute Force |
SQCS |
| 2 | Verify: Simple answers such as '123' are restricted Reason: Easily guessable value | High | Brute Force |
SQCS |
| 3 | Verify: The user is required to reauthenticate when updating security questions Reason: Ensure that the request is coming from the intended user | High | Impersonation |
SQCS |
| 4 | Verify: More than one question is asked to increase complexity Reason: Makes guessing harder | High | Brute Force |
SQCS |
| 5 | Verify: Questions that are being asked are specific to each user instead of generic questions Reason: Generic questions have generic answers and are easily guessable | High | Brute Force |
SQCS |
| 6 | Verify: Security questions are presented after when the username and password are accepted Reason: Security questions should only be used as a sector factor because it's not as strong as passwords | High | Brute Force |
SQCS |
| 7 | Verify: Security questions are hashed when stored in the database and must follow the Credential Storage guidelines Reason: In case answers leak, the hash value won't allow access to an account | High | Impersonation, Credential Theft |
SQCS |
Something you have🔗
📖 Lookup Secrets🔗
🔶 Definition: lookup secrets are a set of secrets shared between the user and a website
🔶 Example: Acts as a recovery/backup codes when the user forgets their password or locks their account
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: lookup secret has at least 112 bits of entropy Reason: Minimum randomness that makes guessing challenging | High | Brute Force |
SP800-63B |
| 2 | Verify: Verifier retains only a hashed version of the lookup secrets which follow the Credential Storage guidelines Reason: In case lookup secret leaks, the hash value won't allow access to an account | High | Brute Force, Impersonation, Credential Theft |
SP800-63B |
| 3 | Verify: If entropy is less than 112 bit, the lookup secret is hashed with a salt that's of a 32 bit length Reason: Compensate lower entropy with a salt which will increase entropy | High | Brute Force |
SP800-63B |
| 4 | Verify: If the the lookup secret's entropy is less than 64 bits, rate limiting mechanisms shall be put in place Reason: Additional prevention against guessing to compensate for lower entropy | High | Brute Force |
SP800-63B |
| 5 | Verify: lookup secret is accepted only once Reason: Prevent a value from being used more than once in case it leaks | High | Replay Attack |
SP800-63B |
| 6 | Verify: The user is required to reauthenticate with two factors when requesting new lookup secrets Reason: Ensure that the actual user is making a change, not someone else | High | Impersonation, Credential Theft |
SP800-63B |
| 7 | Verify: Once new lookup secrets are generated, older ones are no longer relevant Reason: Prevent reuse in case of theft | High | Credential Theft |
SP800-63B |
📱 Out-of-Band Devices🔗
🔶 Definition: Secure out-of-band authenticators are physical devices that can communicate with the verifier over a secure secondary channel
🔶 Example:
- Push notifications to mobile devices for authentication
- SMS or phone call to deliver an authentication code
Danger
OTP delivered through SMS or phone is not secure and is considered RESTRICTED in NIST SP800-63B 5.1.3.3
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: Phone and SMS should not be used as out-of-band verifiers Reason: Considered as a restricted category by NIST | High | Credential Theft, Impersonation |
SP800-63B |
| 2 | Verify: The out-of-band verifier expires requests, codes, or tokens after 10 minutes Reason: Verifier not receiving the code within 10 minutes indicates an issue, such as non-delivery or wrong recipient | High | Credential Theft |
SP800-63B |
| 3 | Verify: Authentication secrets, codes, or tokens are single-use and valid only for the initial authentication request Reason: Prevent reuse in case of theft | High | Credential Theft, Impersonation |
SP800-63B |
| 4 | Verify: Verifier retains only a hashed version of the authentication code, which follow the Credential Storage guidelines Reason: In case code leaks, the hash value won't allow access to an account | High | Credential Theft, Impersonation |
SP800-63B |
| 5 | Verify: Authentication code is generated by a secure random number generator containing at least 20 bits of entropy (typically, a six digital random number is sufficient) Reason: Minimum complexity to make guessing challenging | High | Brute Force |
SP800-63B |
🔢 Single and Multi Factor OTP Devices🔗
🔶 Definition:
- Single-factor One time Password (OTP) devices are physical devices that generate OTPs
- Multi-factor OTP devices are like single-factor ones but require activation through either knowledge, physical characteristic, or a combination of both
🔶 Example: OTP is displayed on the device and manually entered for transmission to the verifier, demonstrating possession and control. An OTP device can show, for instance, six characters at once
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: Approved cryptography is used to generate the secret Reason: Weak cryptography can be bypassed | High | Brute Force |
SP800-63B |
| 2 | Verify: Approved authenticated protected channels are used when collecting the OTP Reason: Ensures that the OTP is being generated from the right device | High | Eavesdropping |
SP800-63B |
| 3 | Verify: Time-based OTPs expiration is in place Reason: Prevents the OTP from being reused in case its stolen | High | Credential Theft, Impersonation, Replay Attack |
SP800-63B |
| 4 | Verify: Time-based OTP is used only once within the validity period Reason: Prevents the OTP from being reused in case it's stolen | High | Credential Theft Impersonation, Replay Attack |
SP800-63B |
| 5 | Verify: Symmetric keys used to verify submitted OTPs are highly protected, such as by using a hardware security module or secure operating system-based key storage Reason: Key theft can allow an attacker to generate a valid secrets | High | Credential Theft, Impersonation |
SP800-63B |
| 6 | Verify: Physical single-factor OTP generator can be revoked in case of theft or loss. Ensure that revocation is immediately effective across logged-in sessions, regardless of location Reason: Protect the user's account from unauthorized access by a malicious party | High | Credential Theft, Impersonation, Replay Attack |
SP800-63B |
| 7 | Verify: Verifier can identify the authenticator as a multi-factor device, but in its absence, it should be considered as single-factor Reason: Ensures that a user is choosing the right authentication factor | High | Credential Theft, Brute Force |
SP800-63B |
🔑 Single and Multi Factor Cryptographic Device and Software🔗
🔶 Definitions:
- A single-factor cryptographic device is a hardware device that performs cryptographic operations using a protected cryptographic key(s) and provides the authenticator output via direct connection to the user endpoint
- A multi-factor cryptographic device is similar to a single-factor cryptographic device but must be activated by either something you know, something you are or both
- A single-factor cryptographic software is a cryptographic key stored on a disk or some other "soft" media. Authentication is accomplished by proving possession and control of the key
- A Multi-factor cryptographic software is similar to single-factor cryptographic software but must be activated by either something you know, something you are or both
🔶 Examples:
-
Single/Multi-factor cryptographic device:
- USB authenticators such as a YubiKey or Google Titan
- Smart cards with an embedded processor
-
Single/Multi-factor cryptographic software:
- Use of a client X.509 certificate
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: Cryptographic keys are highly protected Reason: Key theft can allow an attacker to generate valid secrets | High | Credential Theft, Impersonation |
SP800-63B |
| 2 | Verify: Single-factor cryptographic device verifiers generate a challenge nonce, send it to the corresponding authenticator, and use the authenticator output to verify possession of the device. Ensure that the challenge nonce is at least 64 bits in length Reason: The minimum length that makes predicting its value challenging | High | Brute Force |
SP800-63B |
| 3 | Verify: Challenge nonce is unique for each authenticator Reason: Ensures that more than one authenticator are not used for a single user account | High | Impersonation |
SP800-63B |
| 4 | Verify: Approved cryptographic algorithms are used in the generation, seeding, and verification Reason: Unauthorized algorithms can be circumvented | High | Brute Force |
SP800-63B |
Something you are🔗
🧬 Biometric🔗
🔶 Definition: The use of biometrics in authentication includes both measurements of physical characteristics and behavioral characteristics of a user
🔶 Example:
- Facial recognition
- Fingerprint scan
- Iris scan
- Typing cadence
| #️⃣ | ✅Items | ⚠️Severity | ☠️Vulnerabilities | 🔗Sources |
|---|---|---|---|---|
| 1 | Verify: Biometric authenticators are limited to use only as secondary factors in conjunction with either something you have and something you know Reason: The false match rate in Biometric isn't strong enough to be used as a single factor | High | Impersonation xxxxxxxxxxxxxxxx |
SP800-63B |
| 2 | Verify: The sensor or endpoint is authenticated before capturing the biometric sample from the user Reason: Prevent the use of fraudulent devices | High | Impersonation |
SP800-63B |
| 3 | Verify: The biometric system allows no more than five consecutive failed authentication attempts Reason: Limit the occurrence of impersonation attacks | High | Impersonation |
SP800-63B |
| 4 | Verify: After five consecutive failed attempts, disable authentication for 30 seconds before the next attempt and increase exponentially with each successive failed attempt or disable the biometric user authentication and offer another factor Reason: Limit guessing attacks | High | Brute Force |
SP800-63B |
| 5 | Verify: The integrity of the endpoint or sensor can be determined so any sensor or endpoint change can be detected Reason: Prevent an attacker from installing a fraudulent device to bypass biometric check | High | Impersonation |
SP800-63B |
🔗 Sources:
Open Web Application Security Project (OWASP):
National Institute of Standards and Technology (NIST) SP 800-63B: