Multi-Factor Authentication for Login Security
Doghouse
As an alternative to passwords, maddog looks at various types of multi-factor authentication, as well as considerations drawn from his experience.
Recently a large, closed source software company announced their operating system would allow the user to opt out of using passwords. They indicated that passwords were difficult to manage (agreed), and many times people forget them or use the same passwords for many accounts (which many people do), so now users will be given the ability to use multi-factor authentication (MFA) to avoid using passwords and instead use some other authentication methods to protect themselves. Sounds great … on the surface.
I already know of people that are using their phones to do MFA. When you log in to some web service for the first time during a login session, a message gets sent to your smartphone to acknowledge that someone is trying to log on to your account and to verify that the person is you.
However, using your smartphone has some issues.
You may not own a smartphone. Many of my friends are (cough) "older" and only have "burner" phones (also known as flip phones) that cannot run applications. Of course, many burners can receive SMS messages and be verified through that. However, MFA using phones puts an extra importance on phones being available all the time. If the phone is unavailable (discharged, lost, stolen), in an area where phones are not allowed (secure areas), or a cell phone signal is not available, then a person might inadvertently be locked out of their accounts.
Important to know is that most of these MFA techniques do not rely on the phone as much as they rely on the International Mobile Subscriber Identity (IMSI) number that is assigned to your SIM card. If your phone breaks down, you can simply take the SIM card out and put it into another phone. If the SIM card is lost, you can report it to the mobile phone company and get a replacement SIM card that will have the same phone number (IMSI) associated. However it may take some time to get a replacement SIM and put it in a new phone.
Another way of doing MFA is using a type of "key" that is available from various companies. These keys (usually small enough to fit on a keychain) are inserted into the USB port of your laptop or phone and/or use NFC to connect with a device as you try to access your accounts (including your login account). Various operating systems as well as various web browsers and cloud-based applications allow these keys to be part of their MFA. Some of these keys are fairly expensive. While this expense may be easily justified from a business perspective, the average person may not want to pay for two (one to use and one to be kept in a secure place as a backup). Of course these keys may be lost or stolen like a phone – therefore requiring a backup key or other MFA path.
Other key types are "smart card"-type devices, which use either contact (needs to be inserted or otherwise scanned) or contact-less NFC technology to verify that the user is physically present. Sometimes these cards have storage on them that can hold details such as health or financial information. Typically these cards are associated with a personal identification number (PIN) to help protect them if lost or stolen. Again, these cards and the management of them can be fairly expensive, and the cards can be damaged relatively easily in adverse environments.
My laptop has both a webcam built in and a fingerprint reader. While both facial recognition and fingerprint recognition have security issues by themselves, when you put them together along with the physical access to a particular device (the laptop, for instance), they can create a much more secure system for logging into that device.
All of these methods, and more, can be used for MFA. One of the problems is, will the user use them? And how complex will it become for people to actually access their systems and data?
A recent webinar on password-less logins" stated: "Join Cybersecurity experts … to discuss why users will be more likely to adhere to security best practices if they are empowered to manage and renew their credentials without your IT team's help."
Right. I remember how much users hated even simple passwords to log in to their systems. The more complicated the system was, the more they needed help. People who need help in adding an application to their smartphone are going to have some issues in setting up MFA to work across their various devices, various websites, and various applications.
FOSSH has the tools (MFA, PAM, SELinux or AppArmor, encryption of filesystems and data, among others) to do this well. It is time to start planning how to use MFA in your community or business.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.