Multi-factor authentication (MFA) methods vary significantly in their security levels. Here's what you need to know about choosing secure MFA:

Strong vs. Weak MFA Methods:

Strong MFA:

• PKI-based certificates stored in secure enclaves
• Asymmetric cryptography with private keys in hardware security modules
• Out-of-band authentication with controlled key generation
• Modern passkeys (though session token security needs improvement)

Weak MFA:

• SMS-based verification (deprecated by NIST)
• Knowledge-based questions
• Passwords alone
• Symmetric secrets without strict controls

The traditional "something you have, something you know, something you are" model is outdated when used alone. The security of MFA depends on:

1. Quality of the underlying secrets
2. How well the secrets are protected
3. Whether the authentication method uses symmetric or asymmetric cryptography

Best Practices:

• Use asymmetric secrets when possible
• Ensure private keys are stored in secure enclaves
• Implement out-of-band authentication
• Limit use of symmetric secrets to controlled environments
• Take advantage of built-in security features in modern operating systems

For enterprise environments facing increasing cybersecurity threats, it's critical to move beyond weak MFA methods and implement strong authentication based on asymmetric cryptography and hardware-protected secrets.

Remember: Not all MFA solutions provide equal security. Focus on the quality and protection of the underlying secrets rather than just combining different types of authentication factors.

Related Articles

Previous Articles