Multi-Factor Authentication for Login Security
Doghouse

As an alternative to passwords, maddog looks at various types of multi-factor authentication, as well as considerations drawn from his experience.
Recently a large, closed source software company announced their operating system would allow the user to opt out of using passwords. They indicated that passwords were difficult to manage (agreed), and many times people forget them or use the same passwords for many accounts (which many people do), so now users will be given the ability to use multi-factor authentication (MFA) to avoid using passwords and instead use some other authentication methods to protect themselves. Sounds great … on the surface.
I already know of people that are using their phones to do MFA. When you log in to some web service for the first time during a login session, a message gets sent to your smartphone to acknowledge that someone is trying to log on to your account and to verify that the person is you.
However, using your smartphone has some issues.
You may not own a smartphone. Many of my friends are (cough) "older" and only have "burner" phones (also known as flip phones) that cannot run applications. Of course, many burners can receive SMS messages and be verified through that. However, MFA using phones puts an extra importance on phones being available all the time. If the phone is unavailable (discharged, lost, stolen), in an area where phones are not allowed (secure areas), or a cell phone signal is not available, then a person might inadvertently be locked out of their accounts.
Important to know is that most of these MFA techniques do not rely on the phone as much as they rely on the International Mobile Subscriber Identity (IMSI) number that is assigned to your SIM card. If your phone breaks down, you can simply take the SIM card out and put it into another phone. If the SIM card is lost, you can report it to the mobile phone company and get a replacement SIM card that will have the same phone number (IMSI) associated. However it may take some time to get a replacement SIM and put it in a new phone.
Another way of doing MFA is using a type of "key" that is available from various companies. These keys (usually small enough to fit on a keychain) are inserted into the USB port of your laptop or phone and/or use NFC to connect with a device as you try to access your accounts (including your login account). Various operating systems as well as various web browsers and cloud-based applications allow these keys to be part of their MFA. Some of these keys are fairly expensive. While this expense may be easily justified from a business perspective, the average person may not want to pay for two (one to use and one to be kept in a secure place as a backup). Of course these keys may be lost or stolen like a phone – therefore requiring a backup key or other MFA path.
Other key types are "smart card"-type devices, which use either contact (needs to be inserted or otherwise scanned) or contact-less NFC technology to verify that the user is physically present. Sometimes these cards have storage on them that can hold details such as health or financial information. Typically these cards are associated with a personal identification number (PIN) to help protect them if lost or stolen. Again, these cards and the management of them can be fairly expensive, and the cards can be damaged relatively easily in adverse environments.
My laptop has both a webcam built in and a fingerprint reader. While both facial recognition and fingerprint recognition have security issues by themselves, when you put them together along with the physical access to a particular device (the laptop, for instance), they can create a much more secure system for logging into that device.
All of these methods, and more, can be used for MFA. One of the problems is, will the user use them? And how complex will it become for people to actually access their systems and data?
A recent webinar on password-less logins" stated: "Join Cybersecurity experts … to discuss why users will be more likely to adhere to security best practices if they are empowered to manage and renew their credentials without your IT team's help."
Right. I remember how much users hated even simple passwords to log in to their systems. The more complicated the system was, the more they needed help. People who need help in adding an application to their smartphone are going to have some issues in setting up MFA to work across their various devices, various websites, and various applications.
FOSSH has the tools (MFA, PAM, SELinux or AppArmor, encryption of filesystems and data, among others) to do this well. It is time to start planning how to use MFA in your community or business.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
Fedora 39 Beta is Now Available for Testing
For fans and users of Fedora Linux, the first beta of release 39 is now available, which is a minor upgrade but does include GNOME 45.
-
Fedora Linux 40 to Drop X11 for KDE Plasma
When Fedora 40 arrives in 2024, there will be a few big changes coming, especially for the KDE Plasma option.
-
Real-Time Ubuntu Available in AWS Marketplace
Anyone looking for a Linux distribution for real-time processing could do a whole lot worse than Real-Time Ubuntu.
-
KSMBD Finally Reaches a Stable State
For those who've been looking forward to the first release of KSMBD, after two years it's no longer considered experimental.
-
Nitrux 3.0.0 Has Been Released
The latest version of Nitrux brings plenty of innovation and fresh apps to the table.
-
Linux From Scratch 12.0 Now Available
If you're looking to roll your own Linux distribution, the latest version of Linux From Scratch is now available with plenty of updates.
-
Linux Kernel 6.5 Has Been Released
The newest Linux kernel, version 6.5, now includes initial support for two very exciting features.
-
UbuntuDDE 23.04 Now Available
A new version of the UbuntuDDE remix has finally arrived with all the updates from the Deepin desktop and everything that comes with the Ubuntu 23.04 base.
-
Star Labs Reveals a New Surface-Like Linux Tablet
If you've ever wanted a tablet that rivals the MS Surface, you're in luck as Star Labs has created such a device.
-
SUSE Going Private (Again)
The company behind SUSE Linux Enterprise, Rancher, and NeuVector recently announced that Marcel LUX III SARL (Marcel), its majority shareholder, intends to delist it from the Frankfurt Stock Exchange by way of a merger.