Chapter 98 · Flashcards

Multifactor Authentication — Flashcards

Twelve cards covering the definition of MFA and the four factor categories, smart cards, USB security keys, hardware and software tokens, SMS OTP weakness, biometric mathematical representations, the cannot-be-changed limitation, FAR/FRR/CER accuracy metrics, IP geolocation limitations, GPS and Wi-Fi location factors, and the SIM-swap attack against SMS MFA. Click any card to flip it.

What is MFA, what makes it "true" MFA vs. two-step verification, and what are the four factor categories?

MFA (Multifactor Authentication) requires at least two authentication factors from two DIFFERENT categories. Two passwords = two-step verification (not MFA) because both are the same category. Four categories: (1) Something you know — password, PIN, pattern. (2) Something you have — smart card, USB key, hardware/software token, phone. (3) Something you are — fingerprint, iris, voice, facial recognition. (4) Somewhere you are — IP geolocation, GPS, cellular, Wi-Fi triangulation. True MFA: password (know) + token (have) = different categories.

What is a smart card, what two factors does it combine, and where is it used?

A smart card is a physical card with an embedded microprocessor containing cryptographic keys. Requires: physical card (something you have) + PIN (something you know). A stolen card is useless without the PIN; a stolen PIN is useless without the card. Used in government PIV (Personal Identity Verification) credentials and military CAC (Common Access Card) systems. The cryptographic keys on the card perform authentication challenges that cannot be replicated without the physical card, even if the PIN is known. Classic two-factor: possession + knowledge.

What is a USB security key, and why is it phishing-resistant when other MFA factors are not?

A USB security key (e.g., YubiKey, FIDO2 key) stores cryptographic keys and certificates that never leave the device. Authentication requires physical insertion and often a button press. Phishing-resistant because the key's cryptographic operations are domain-bound: the key signs a challenge response using the cryptographic private key only for the legitimate domain it was enrolled with. A phishing site cannot trick the key into generating a valid response for the real site — the domain mismatch is detected cryptographically. This makes USB security keys the strongest “something you have” factor, superior to TOTP codes and SMS OTP which can be phished.

What are hardware and software tokens, how do they generate OTPs, and what is the key difference between them?

Hardware token (RSA SecurID): physical device displaying a numeric code that changes every 30-60 seconds. Token and server share a seed; both independently generate the same TOTP using the current timestamp. Physical possession required. Software token (Google Authenticator, MSFT Authenticator): smartphone app generating the same time-based codes. More convenient but requires a secured smartphone. Key difference: hardware tokens are dedicated devices (harder to compromise via malware); software tokens run on multipurpose smartphones that may be infected. Both are stronger than SMS OTP. Both are categorized as something you have.

What is SMS OTP, why is it the weakest "something you have" factor, and what attack specifically defeats it?

SMS OTP: a one-time code sent via text message to the registered phone number. Categorized as something you have because it requires control of the registered phone number. Weakest because: phone numbers can be transferred (ported) to a different SIM without physical theft of the phone. SIM-swapping attack: attacker contacts the carrier, impersonates the victim, and convinces the carrier to port the number to an attacker-controlled SIM. The attacker now receives all SMS messages, including OTP codes. Combined with a stolen password, SIM swapping gives full account access. Defense: use hardware tokens or FIDO2 keys instead of SMS OTP for high-security accounts.

What does a biometric system actually store, and what is the fundamental limitation of biometrics as authentication?

Biometric systems store a mathematical representation of the biometric — NOT an image. During enrollment, the biometric (fingerprint, iris, voice) is captured, features are extracted (measurements, angles, key points), and only this mathematical model is stored. During authentication, the same extraction is applied to the presented biometric and the model is compared. Fundamental limitation: biometrics cannot be changed. If the mathematical representation is stolen in a database breach, the user cannot change their fingerprint or iris. This is why biometrics are used as one factor among several, not as a sole authentication mechanism. Password breaches can be remediated by changing the password; biometric breaches cannot.

What are FAR, FRR, and CER in biometric authentication, and which metric represents security risk vs. usability impact?

FAR (False Acceptance Rate): how often the system incorrectly accepts an unauthorized user (false positive / impostor accepted). Security risk — a high FAR means impostors get through. FRR (False Rejection Rate): how often the system incorrectly rejects a legitimate user (false negative / legitimate user denied). Usability impact — a high FRR frustrates legitimate users. CER (Crossover Error Rate): the sensitivity threshold where FAR equals FRR. Used to compare systems: lower CER = more accurate system overall. FAR and FRR trade off: making the system more sensitive (harder to fool) increases FRR. Making it more lenient decreases FRR but increases FAR.

What are four location-based authentication technologies, and what is the primary limitation of IP geolocation specifically?

Four location technologies: (1) IP address geolocation — maps originating IP to approximate location. Easy to implement; limited by VPNs, proxies, and IPv6 accuracy. (2) GPS — device reports GPS coordinates. More accurate than IP; can be spoofed; requires device participation. (3) Cellular network location — cell tower triangulation. Less accurate than GPS; no GPS required. (4) 802.11 Wi-Fi triangulation — access point proximity. Indoor use where GPS fails. Primary limitation of IP geolocation: VPNs and proxy servers can make traffic appear to originate from any geographic location. IP-to-location mapping is also imprecise, particularly for IPv6. Best used as an anomaly signal (impossible travel detection), not a standalone factor.

Classify each: PIN, iris scan, smartphone TOTP app, GPS coordinates, hardware RSA token, USB YubiKey, password, SMS OTP code.

Something you know: PIN, password. Something you have: smartphone TOTP app (software token), hardware RSA token, USB YubiKey (security key), SMS OTP code. Something you are: iris scan. Somewhere you are: GPS coordinates. Note on SMS OTP: it is classified as something you have because it requires control of the registered phone number, not as knowledge (you receive it, not memorize it). The code itself changes every time and is not something you know in advance.

What makes a combination of two factors from the same category NOT true MFA, and give an example?

True MFA requires factors from two different categories because each category has different attack vectors. If both factors are in the same category, a single attack can compromise both simultaneously. Example: requiring a password AND a security question answer = two knowledge factors. An attacker who phishes or breaches the knowledge factor database obtains both simultaneously. A password breach exposes both. This is two-step verification, not MFA. Contrast: password (know) + hardware token (have) = true MFA. Phishing the password does not give the attacker the physical hardware token. Stealing the hardware token does not give the attacker the password. Different categories create independent attack surfaces.

What is the difference between a hardware token and a software token in terms of compromise risk?

Hardware token: dedicated single-purpose device. The seed is burned into the device during manufacture. Compromise requires physical theft of the device. The device cannot be infected by malware because it runs no general-purpose OS. If the server seed database is breached, the hardware token may be cloneable in theory, but the device itself is not attackable remotely. Software token: runs on a general-purpose smartphone. If the smartphone is compromised by malware, the seed or generated codes could be extracted by the malware. Remote compromise is possible. However, software tokens are far more convenient and still significantly stronger than passwords or SMS OTP. Security policy should use hardware tokens for the highest-privilege accounts; software tokens are acceptable for standard enterprise MFA.

What is impossible travel in the context of location-based authentication, and how is it detected?

Impossible travel: a condition where the same account authenticates from two geographically distant locations within a time window too short for physical travel between those locations. Example: authentication from Tokyo at 10:00 AM and authentication from London at 10:30 AM — physically impossible. Detection: the authentication system or UEBA/UBA platform records the IP geolocation (or GPS) of each authentication event and calculates whether the elapsed time between events is consistent with the physical distance between locations. When impossible, the system flags the newer session as suspicious and may require step-up authentication or block the session. Used to detect account sharing, credential theft, and simultaneous attacker sessions.