U2, 2Pac, 2pperware – we humans love the two as a concept, as it can mean opposition as in Red Team versus Blue Team, complementarity (blue and orange in Goethe’s color model) or duality as in the proverbial two sides of a coin. Last but not least, the power of quantum computers derives from the fact that they dissolve the binary boundary. And so, of course, security also needs its B-side, its deputy, its “+ 1”. This is most obviously embodied (an unnecessarily binary, allegedly non-scalable adjective…) in the technical term 2FA – two-factor authentication, in English: Please provide proof that it’s you, otherwise I won’t believe you!
David Fuhr is co-founder and CTO of intcube GmbH.
MFA, yours sincerely
Actually, the concept is MFA, i.e. multi-factor authentication. That is, if I want to prove my identity (see “Part 2: A password” of this series of articles), I have to provide evidence from several different classes of evidence, such as something I know (e.g. a password), something I have (e.g. a hardware token), and/or something I “am” (e.g. my fingerprint). Factor means: If I don’t successfully submit one of the proofs, the whole product is 0 and I’m rejected.
There are many theoretical introductions to and extensive standards for IT security. If you follow the ideas of this six-part series of mini articles, the basis for a slim and powerful security program is created along the way.
As a rule, MFA comes in the form of 2FA today: Password and SIM card (SMS), password and hardware token, password and mobile phone (authenticator app) are the classics here. And this “+1” increases the strength of the authentication – a mathematical effect of product formation from factors – so much that 2FA is rightly considered one of the strongest standard security measures today and, also rightly, is quickly becoming the state of the art. In some areas, such as payment services, 2FA has even been mandatory for a number of years.
Everything has an end – only the two is not sausage
Authentication is by no means the only place in security where a second factor is used. It’s just made less explicit elsewhere: instead of 2FAAA (two-factor authentication, authorization and accounting), 2PF (double firewall) or 2 zones (DMZ), we simply say “defense in depth”, tiered defense. And while this millennia-old military concept is generally useful as a guiding principle for security architectures, it obscures which measure is a second (or third) factor to which other security goal.
Of course, the whole thing becomes very nice when it comes to backup. In principle, the number two is hidden here in the first part of the term: If I never have to “back” (back) because I’m always “up” (running and on), I’ll never need my backup! So this is a second factor of availability.
Wait a minute, one would like to say: I only need either my productive data or my backup to remain able to work, so it’s not a factor in the sense of AND, I need both! That’s true, but from the attacker’s point of view it looks like this: If I only destroy or encrypt the productive data or only the backup, I haven’t achieved my goal. I have to overcome both factors, analogous to 2FA.
2FDaten
This view allows us to understand relationships between different security measures, which are only expressed in global galactic vague terms with the term defense in depth. If you like it fancy, you can go to the MITER-ATT&CK-Matrix look inside, which tries to represent all possible types of attack vectors as a graph or network. But even the innocent question “Do I have a second factor for my data/processes/confidentiality/integrity/availability/data economy/anonymity?” or whatever my security goals are, can help to adjust my security program in a purposeful way.
(fo)
