Podcast
Root Causes 470: The MFA False Equivalency Fallacy
Hosted by
Tim Callan
Chief Compliance Officer
Jason Soroko
Fellow
Original broadcast date
February 19, 2025
Not all forms of MFA are equally secure. In this episode, we describe the differences between the more secure and less secure forms of MFA.
Podcast Transcript
Lightly edited for flow and brevity.
Tim CallanJason, let me start you off with a phrase - MFA, the false equivalency fallacy.
Jason SorokoSo you and I, in the history of this podcast, we're getting up to what 450 right at this point in time, and we've done probably a dozen or more multi-factor authentication podcasts. I wanted to use this Toronto sessions atmosphere, this ability for us to really talk through some of these meaty issues sitting right beside each other. And I remember writing a blog. My face was the picture right beside the article. The title of it was Not All MFA Are Created Equal. I see it in technical journalism. I see it in blogs. I see it all over the place, and it's still used in a serious way. I can't tell if people are being ironic.
Tim CallanProbably not in technical journalism, no, but, but go on.Jason SorokoMy hope is that it was ironic, but I don't think it is. So here it is, Tim. Something you have, something you know, something you are.Tim CallanWe’ve all heard that a million times.Jason SorokoFactors of authentication. If you layer them together, it's apparently a good thing, I mean it’s the basic idea behind it. And the problem is this. I think that grew out of an age where it's kind of all you had was a hard token, a soft token, a knowledge base. What was your childhood dog's name and all those really strong pieces of authentication. We did a podcast on that. Your fingerprints, your voice. If you thought it wasn't a secret before, it's even less of a secret now with deep fakes and everything else. So something you have, something you know, something you are. What the heck does that mean? Is it worth a damn? I'm gonna make the argument that I don't think you have to completely, wholesale chuck that idea out the door, but I think you need to put it in its place because of something that I like to call the false equivalence fallacy. In other words, if you didn't listen to me 14 years - -Tim CallanFalse equivalence fallacy. So there's a fallacy, and it's that we are seeing an equivalence where there isn't one. Which is?Jason SorokoWhich is this. Not all MFA are created equal. So, if you didn't listen to me 14 years ago, listen to me now, and I'll call it something fancier. It's this. SMS is deprecated. NIST deprecated it. And yet, something you know, something you have, something you are, if you're using that as your model, it's, factor.Tim CallanSomething you have.Jason SorokoTherefore it apparently has value if you layer it with some other pile of junk.Tim CallanSo I mean, so multifactor authentication. It's MFA. It’s not MGFA, which is multi good factor authentication.Jason SorokoSo what is a category of good and a category of bad? Because I like to just slice something you know, something you have, something you are. The reason why you can't completely throw it out is because there are some good things you have and know and are. There are some good ones.Tim CallanIf I have a certificate on a device and then I am providing a pin that only I know - -Jason SorokoAnd that cert is in an enclave - -Tim CallanThat is a very secure setup.Jason SorokoThat's something you have.Tim CallanSomething you have and something you know.Jason SorokoIt is something you have combined with something you know really, really well to make for a strong authentication mechanism. But it did not follow simply something you have, something you know, something you are.Tim CallanBut where I went to high school, it's just something I know.Jason SorokoIt’s not a secret.Tim CallanIt’s clear, that would still be something I know and something I have.Jason SorokoYou and I just did a podcast on the Salt Typhoon and the fact that you can't trust cellular data networks anymore, and that's continuing. Well, that makes this whole something you have, something you know, it's about the quality of the secret, Tim. And so therefore you can't use that model anymore. You have to start thinking about high quality secrets and not high quality secrets. In other words, not all MFA are created equal. Because if you combine SMS multifactor authentication with a password and a knowledge-based question, guess what? Not a high quality secret. A deprecated secret combined with something that's not a secret at all. Something you have, something you know, something, something that's obliterated, and all the bad guys know. I use sarcasm too much. It's probably a coping mechanism from years and years of stress of dealing with all you people.Tim CallanAs he looks at me. Yes.Jason SorokoActually, you're one of the good people, Tim. So think about this for a moment. I'm going to make one last argument about the weaker secrets, the only place that it actually really makes sense to me, and there probably are others. So this is not a non-exhaustive list. I would say that for the purposes of really limited networks, really limited resourced computing systems where encryption for data at rest is necessary and the shared secret is extremely controlled and doesn't really go anywhere. Encryption schemes are often using symmetric tokens. A shared secret. That might be a very appropriate use. So for those of you who are encrypting that way, and you really, really control what is accessing and what can access those shared secrets, you're probably doing an appropriate usage of a shared secret. Therefore, there are appropriate uses of it, but most of the ways that you are using it, especially for MSA MFA, are not appropriate in 2024 and beyond.So let's really, really name the stronger secrets. Shared secrets in extremely limited use. We'll let those ride. Your strongest secrets, though, are going to be your not shared secrets, also known as asymmetric secrets. Which is why you brought up certificates.
Tim CallanThat’s PKI.Jason SorokoPKI. PKI, by a bunch different names. If you are wanting a category of strong versus weak, I don't think we need to go any further than that. It is symmetric.Tim CallanAnd everything else is weak.Jason SorokoSymmetric versus asymmetric. And if you're going to use symmetric, know why you're using it, know how you're using it. Everything else symmetric, you still have worries. You still have to be worried about your asymmetric secrets, because you're storing a certificate in software that might not be very secure, but if you're storing it in a secure element, some sort of an enclave, my goodness, that's about the state of the art right now.I've been asked many, many times, Jay, if you're going to put locks on the doors, what would you choose? In today's age, what I would choose is out of band. In other words, don't trust your endpoint. Something where the key generation was extremely controlled, and the private key is in an enclave. The ability to access the endpoint to do the out of band authentication is protected by some sort of a - -
Tim CallanSo, can I rely on there being an enclave in my end user device?Jason SorokoIn the past, the answer was no. You needed to have an IT department who was helping.Tim CallanI think that’s pretty good, right? Because I'm going to get into my current version of Windows or Mac OS. I'm going to get it in my current version of Android or iOS. Between that we're covering almost all of the devices we're talking about.Jason SorokoI'll tell you what. For those of you who don't work in enterprise environments, a lot of your first actual touching usage of an asymmetric secret for the purposes of authentication, you probably have all sorts of asymmetric secrets in your pocket right now that are just happening ubiquitously to encrypt data in transit. We're talking about authentication here. And if you're using pass keys, you're using an asymmetric secret. Now we've had a podcast talking about there is a weakness because there's a session token sitting underneath that that’s part of the implementation, and it might end up being the fatal flaw. I hope it won't. It probably won't. Let's pray it isn't. People will figure it out. The ecosystem will come together and solve that problem. So how to protect that session token. Again, symmetric secrets have to be highly controlled. I don't think they're controlled enough right now for WebAuthn and passkeys. That's just the truth. I don't think I'm the only person who says that. It's just I'm the person who's annoyingly enough bringing it up every once in a while.
I think, though, that for those of you who are in enterprise environments and you're facing this world of Crypto Wars 3.0, something you and I just were talking about, where if you thought you had to be paranoid before you got to be really paranoid now in this new world, and I think that putting good locks on the doors is something you all need to be doing, and that's the reason for this podcast. It's a call to arms to let go of things that don't work anymore.
Something you have, something you know, something you are, doesn't take into – alone - does not take into account the quality of the secrets underlying.
Tim CallanSo the something you have, something you know, something you are model can still be useful, so long as you put some kind of minimum bar on the somethings.Jason SorokoYou know that that's exactly what I wrote 14 years ago. But nobody's doing it. And that's what we're asking you to do is consider the fact that not all MFA are created equal. That's it, Tim.Stay informed with expert insights
Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!
