MFA, 2FA, 2SV — What??? — Let’s improve terminology
In recent times there have been many discussions about the terms Multi Factor Authentication (MFA), Two Factor Authentication (2FA) and Two Step Verification (2SV).
Recently, Troy Hunt has blogged extensively about it and Paul Moore has also presented the difference a few years ago.
The current terminology is confusing and, above all, it is not accurate enough in reference to today’s threat vectors.
What questions should our terminology answer?
- Is the authentication vulnerable to breach replay or password spray attacks?
- Is the authentication vulnerable to phishing? [Replay attack]
- Is authentication vulnerable to physical theft? [Phone, security key, …]
- Are all secrets sent over the network?
The number of factors is not interesting, the answers to the above questions define the security of authentication. Current terminology answers these questions only partially.
Here is an overview which is available on Github and can be extended.
Amendment
I don’t suggest new terminology in this blog. This should be proposed by an organization like the FIDO Alliance. I don’t think it makes sense to communicate this new terminology to the end user, for the end user any authentication that is more secure than just a password is advantageous. Especially with regard to user adoption we should stick to established terms like “two-factor authentication”. However, it is important for us as a security industry to make these distinctions in order to work out, among other things, the influence on user adoption. [Thanks Brad Hill for the feedback on Twitter]
If an authentication is immune to breach replay and phising, I consider it extremely secure. However, current terminology answers these questions only partially.
I am of the opinion that the terminology should focus purely on security, but it is important not to forget that user experience plays a crucial role.
I hope this blog can enrich the discussion, should aspects be missing or wrong please let me know.
This blog has been inspired by the following Twitter conversations
