Redirecting you to
Click if you are not redirected within 5 seconds
Podcast Apr 09, 2025

Root Causes 484: Multi Good Factor Authentication

We define multi good factor authentication, which is the idea that not all authentication factors are equal. We discuss the importance of considering authentication strength and the contextual nature of trust.

  • Original Broadcast Date: April 9, 2025

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    Jason, we're here for Toronto Session Season 3. And in Season 2, we coined a term which was multi good factor authentication.

  • Jason Soroko

    Yes. Every one of these seasons I like to throw in a multi-factor authentication episode.

  • Tim Callan

    Absolutely. So it's a laughing point and say how awful it is.

  • Jason Soroko

    Everybody, if you don't know my take on multi-factor authentication, go back to Season 2 and have a listen. And one of the points was the whole issue of something you have something you are, to me, that model needs to go away, and the reason is because of the equivalency fallacy. Not all MFA are created equal.

  • Tim Callan

    We wind up counting the factors with no consideration of the strength of those factors.

  • Jason Soroko

    So something - and you're the one who said it - and when I was rewatching that episode, I was like, I think Season 3, we need to re-bring up - because it was a castaway term that you used and I was like that's too good to ignore. Instead of just saying multi-factor authentication, what you should be aspiring to is multi good factor authentication.

  • Tim Callan

    Because there are good factors.

  • Jason Soroko

    There are strong factors. Much stronger than some others. If we're going to say something like something you are, something you have, something you're guessing at, something whatever, and that model should go away, what should be your new model? And your new model should be, I want to use multi good factor authentication.

  • Tim Callan

    So for instance, if you need to connect with a device that has an expected certificate that is a good factor. And so that should be okay.

  • Jason Soroko

    Let's talk about what makes good. I think top of the list – usability. Because if it's not friendly and easy to use, people aren't going to use it, or they'll complain, or they'll bypass it or something. And that also means the ability to be flexible in terms of, oh, I lost my phone. If you're using an out of band factor then you'd better be able to deal with what happens if that other factor gets lost.

  • Tim Callan

    I'm on a phone call. I'm talking to this person. I've gotta look up something in my email. I try to open my email on my phone because I'm on the street, and it wants to call my phone, but I'm on the phone. Or I run out of battery.

  • Jason Soroko

    It’s just unavailable. Even employees come and go. Sometimes there's M&A in a company and therefore, if it's not easy to deal with those real world case, real scenarios, then that's not a good factor. So a good factor can handle all that and delivers usability. It turns out, as complex as certificates are, Tim, there's nothing easier than walking into your workspace and having your phone automatically authenticate to a Wi-Fi access point with a certificate. It's the best usability there is. There's nothing.

  • Tim Callan

    I open my laptop up and my laptop is MFAing me, invisibly to me.

  • Jason Soroko

    Isn't it great that the strongest factors end up being the most usable?

  • Tim Callan

    I think usability is a great one. But then you also got the other word in there too, which is strength. Reliably, actually authenticating and protecting from deliberate or accidental false positives.

  • Jason Soroko

    There's an old term that I've stopped using it, but it's the Cadillac of authentication methods. I've got to come up with something better than that but it is the alpha dog of authentication methods. Period. In terms of strength. There really is nothing better. You and I have talked about biometrics. They're not a secret. So this is the third category. Make sure as part of strength you're using a factor which is proper secret. Therefore OTP, one time pass codes, they're our shared secret. They're a weak secret.

  • Tim Callan

    Yes. They are for sure. They’re a weaker secret than a biometric, in my opinion.

  • Jason Soroko

    Precisely. Your eye is not a secret. Your fingerprints are not a secret.

  • Tim Callan

    But it's harder to get. So, yes, my fingerprint is not a secret. However, ain't no Script Kitty in Vietnam gonna be stealing my fingerprints, but an OTP, maybe not the case.

  • Jason Soroko

    Well, a bribed bartender will get your fingerprint.

  • Tim Callan

    Oh, absolutely. I think this is an important thing that's part of it too, is to a small degree, I mean, what these things are saying I think at a macro level, absolutely are applicable. To a small degree, I do think they're situational.

  • Jason Soroko

    Let's remind everybody - we say we say this on every MFA episode, any MFA is better than nothing.

  • Tim Callan

    If I am employed at a high value target and an advanced persistent threat might be interested in that target, then you bet someone might lift a glass. It doesn't even have to be a bribed bartender. They could just be sitting next to me. Someone might lift a glass to get my fingerprint for sure. If I'm just me at home and somebody wants to get into my savings account and get my paltry little few $1,000 in my savings account, nobody's gonna be doing that. So it kind of depends on what you're protecting.

  • Jason Soroko

    Which is why I am a big believer in biometrics for pin replacements. That's the perfect usage for it. I'm not saying don't use it. You're saying use it appropriately and I totally agree.

  • Tim Callan

    I agree. Absolutely. I think in this world, rules of thumbs are extremely helpful, and we should codify them and bear them in mind. I think we should also understand that there are rules of thumb, and there can be circumstances where we need to reconsider.

  • Jason Soroko

    That’s it. One of the rules of thumb that we're trying to deal with on this podcast is that, if I have any MFA, I'm good to go and that's not the truth. What you just said is the critical message of this podcast. Think. When you're employing your MFA. That's why we're trying to make you think, what's good? What's multi good factor authentication. So here's one more, Tim. Let's talk about assuming that your endpoint is compromised. You should still have multi good factor authentication. Therefore what makes a good factor is one that is not going to be hampered by or is not as affected by a compromised endpoint. Therefore, out of band. Out of band factors are how you deal with that. I remember back in the day, we're talking like 2010 to 2015 era, where people thought I was completely insane. People who should have known better thought I was completely insane for saying, I think smartphones are going to end up being one of the strongest factors. You could put a certificate on a phone. You can put it in a secure element. Remember, secure limits weren't even that available back then, and people have said, oh well, phones can just be completely compromised. Therefore, the thinking back then was that the laptop was stronger than the phone from a security standpoint, and I knew that was going to be wrong in the future. And boy, oh boy, okay, sometimes, I'll toot my horn. I was right to say that not all MFA are created equal, and the best MFAs are the ones that are certificate based using out of band on a phone. That turned out to be true. There's something that's interesting here in that there's some fallacies of thought that people still to this day - There are some people who think my work laptop is more secure than my phone, from the standpoint of holding a secret, and it's just it, everything now has secure elements, and it's the secure elements - - don't point at the device itself. It's the secure elements on the device that have changed. Therefore, you have to rethink where your secrets are being stored. So it's not just the strength of the secret, it's the strength of where the secret is stored.

  • Tim Callan

    So in all fairness, in that regard, your laptop has gotten better?

  • Jason Soroko

    It has. There was a period of time where that was not true. Windows 11.

  • Tim Callan

    Probably a lot of those, many of those still out there.

  • Jason Soroko

    Remember Windows 11 forced it. That's fairly recent. So, yes, we've entered a new era where everything's way more secure in terms of storing that critical secret. So, that to me, Tim, it's a short list, but that is the list of good in terms of good factors for multi good factor authentication.

  • Tim Callan

    That’s good and I think that's good way to consider it.

  • Jason Soroko

    I think Tim, in the future, we're going to talk about how secure elements change the game but not only that, a lot of people might think, well, what happens if I'm now using my phone to do critical authentication itself without my laptop. Well, is that really, truly out of band? Am I trusting the end point being the phone? If I'm trusting the secret and the end point being in the same place is using that form factor on a smartphone, is that problematic? What I would say is secure elements changed that game. In other words, the user zone where you're doing the authenticating is separate from where the secret is stored, sufficiently that the bad guy can't really take advantage of the fact that the secret is adjacent to the authenticating. That was some cognitive dissonance people had. They simply didn't understand the way things worked.

Root Causes - A PKI & Security Podcast

About Root Causes

Tim Callan and Jason Soroko explore the issues surrounding digital identity, PKI, and cryptographic connections in today's dynamic and evolving computing world.

View All