Non-digital MFA

…or why do we always complexify things beyond usefulness?

My building mailbox uses multi-factor authentication for me to collect my mail. What, you did not know this?

The three basic classes of authenticating items are something you (and only you) know (like your password), something you (and only you) have (like a USB security certificate), and something you (and only you) are (like a fingerprint, or 3d facial scan.)

As previously discussed, you should never, ever use a biometric for MFA, for two reasons. The first is rather morbid: for most of them you do not have to be alive for it to work. Second, if it is ever hacked, for example someone takes a phone snap of your fingerprint on a wine glass and in 15 minutes empties your bank account, you cannot easily alter your hacked authentication method, if at all. Ever.

Okay, fine, so you can still use something you (and only you) know, and something you (and only you) have. Let’s look at the things you and only you know – that’s difficult, actually. Anyone can figure out your pet’s name, or the year you were born/married/whatever date is important to you. But how many people can guess which lines of your favourite poem might be? or a choice movie quote, or currently favorite pop song? If you can pick something with at least, say, 8 words (more is always better, but may be slow to type if you have to do it often) then you have some great passwords available to you which will, mostly, challenge brute force attacks.

And that USB security certificate? that’s damn cool, but it is not as good as the keys on your keychain – which is where that USB key should probably be as well.

The USB certificate is certainly a lot more complex, harder to reverse engineer than the key. But it doesn’t need to be reverse engineered. If someone is trying to break into your stuff, they just need to physically possess it. Just like the other keys on your keychain.

But the simple keys on the keychain are in part designed to survive the abuse of, well, being on a keychain. They ride in a pocket or a purse, bashing up against each other, get dropped and thrown, fumbled, dunked in water and other fluids, and occasionally hung on a peg or hook for a few hours of quiet. How long is a digital device going to survive that? The problem of making the USB key physically robust is actually quite a challenge; if it is not strong enough, who is going to carry it around with them all the time like they do their keys?

Think about it: if you are trying to come up with a physical thing which is quite secure, able to withstand the rigors of being carried around by a primate, and is only one of at least two elements of security, wouldn’t you just use the off-the-shelf already-well-proven lowly key?

And almost every key is actually  part of an MFA system. One key-chain I was responsible for had about 24 keys on it, all identical except for a few alpha-numeric codes stamped into them. I had to know where the locks were which the keys fit, and which key fit which lock. And mine was only one of many in the locker. You might have a couple car keys on your chain – you know it’s the white 2016 model of brand X, or the red 2008, but would anyone else? and where did you park it this time? Something you (and only you) know, and something you (and possiby your significant other) have.

In my current building all the mailboxes are logically numbered, and anyone could figure out which box is ours, if they know which unit we live in. But the key is the standard postal service one; there are millions of them in the country, so if they do not have my key-chain it might be rather challenging for them to guess which key will work.

But then, my postal box would fail very quickly to a determined crow bar. Brute force, sometimes, is brute force.