Root Causes 484: Multi Good Factor Authentication

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

April 9, 2025

We define multi good factor authentication, which is the idea that not all authentication factors are equal. We discuss the importance of considering authentication strength and the contextual nature of trust.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanJason, we're here for Toronto Session Season 3. And in Season 2, we coined a term which was multi good factor authentication.

Jason SorokoYes. Every one of these seasons I like to throw in a multi-factor authentication episode.

Tim CallanAbsolutely. So it's a laughing point and say how awful it is.

Jason SorokoEverybody, if you don't know my take on multi-factor authentication, go back to Season 2 and have a listen. And one of the points was the whole issue of something you have something you are, to me, that model needs to go away, and the reason is because of the equivalency fallacy. Not all MFA are created equal.

Tim CallanWe wind up counting the factors with no consideration of the strength of those factors.

Jason SorokoSo something - and you're the one who said it - and when I was rewatching that episode, I was like, I think Season 3, we need to re-bring up - because it was a castaway term that you used and I was like that's too good to ignore. Instead of just saying multi-factor authentication, what you should be aspiring to is multi good factor authentication.

Tim CallanBecause there are good factors.

Jason SorokoThere are strong factors. Much stronger than some others. If we're going to say something like something you are, something you have, something you're guessing at, something whatever, and that model should go away, what should be your new model? And your new model should be, I want to use multi good factor authentication.

Tim CallanSo for instance, if you need to connect with a device that has an expected certificate that is a good factor. And so that should be okay.

Jason SorokoLet's talk about what makes good. I think top of the list – usability. Because if it's not friendly and easy to use, people aren't going to use it, or they'll complain, or they'll bypass it or something. And that also means the ability to be flexible in terms of, oh, I lost my phone. If you're using an out of band factor then you'd better be able to deal with what happens if that other factor gets lost.

Tim CallanI'm on a phone call. I'm talking to this person. I've gotta look up something in my email. I try to open my email on my phone because I'm on the street, and it wants to call my phone, but I'm on the phone. Or I run out of battery.

Jason SorokoIt’s just unavailable. Even employees come and go. Sometimes there's M&A in a company and therefore, if it's not easy to deal with those real world case, real scenarios, then that's not a good factor. So a good factor can handle all that and delivers usability. It turns out, as complex as certificates are, Tim, there's nothing easier than walking into your workspace and having your phone automatically authenticate to a Wi-Fi access point with a certificate. It's the best usability there is. There's nothing.

Tim CallanI open my laptop up and my laptop is MFAing me, invisibly to me.

Jason SorokoIsn't it great that the strongest factors end up being the most usable?

Tim CallanI think usability is a great one. But then you also got the other word in there too, which is strength. Reliably, actually authenticating and protecting from deliberate or accidental false positives.

Jason SorokoThere's an old term that I've stopped using it, but it's the Cadillac of authentication methods. I've got to come up with something better than that but it is the alpha dog of authentication methods. Period. In terms of strength. There really is nothing better. You and I have talked about biometrics. They're not a secret. So this is the third category. Make sure as part of strength you're using a factor which is proper secret. Therefore OTP, one time pass codes, they're our shared secret. They're a weak secret.

Tim CallanYes. They are for sure. They’re a weaker secret than a biometric, in my opinion.

Jason SorokoPrecisely. Your eye is not a secret. Your fingerprints are not a secret.

Tim CallanBut it's harder to get. So, yes, my fingerprint is not a secret. However, ain't no Script Kitty in Vietnam gonna be stealing my fingerprints, but an OTP, maybe not the case.

Jason SorokoWell, a bribed bartender will get your fingerprint.

Tim CallanOh, absolutely. I think this is an important thing that's part of it too, is to a small degree, I mean, what these things are saying I think at a macro level, absolutely are applicable. To a small degree, I do think they're situational.

Jason SorokoLet's remind everybody - we say we say this on every MFA episode, any MFA is better than nothing.

Tim CallanIf I am employed at a high value target and an advanced persistent threat might be interested in that target, then you bet someone might lift a glass. It doesn't even have to be a bribed bartender. They could just be sitting next to me. Someone might lift a glass to get my fingerprint for sure. If I'm just me at home and somebody wants to get into my savings account and get my paltry little few $1,000 in my savings account, nobody's gonna be doing that. So it kind of depends on what you're protecting.

Jason SorokoWhich is why I am a big believer in biometrics for pin replacements. That's the perfect usage for it. I'm not saying don't use it. You're saying use it appropriately and I totally agree.

Tim CallanI agree. Absolutely. I think in this world, rules of thumbs are extremely helpful, and we should codify them and bear them in mind. I think we should also understand that there are rules of thumb, and there can be circumstances where we need to reconsider.

Jason SorokoThat’s it. One of the rules of thumb that we're trying to deal with on this podcast is that, if I have any MFA, I'm good to go and that's not the truth. What you just said is the critical message of this podcast. Think. When you're employing your MFA. That's why we're trying to make you think, what's good? What's multi good factor authentication. So here's one more, Tim. Let's talk about assuming that your endpoint is compromised. You should still have multi good factor authentication. Therefore what makes a good factor is one that is not going to be hampered by or is not as affected by a compromised endpoint. Therefore, out of band. Out of band factors are how you deal with that. I remember back in the day, we're talking like 2010 to 2015 era, where people thought I was completely insane. People who should have known better thought I was completely insane for saying, I think smartphones are going to end up being one of the strongest factors. You could put a certificate on a phone. You can put it in a secure element. Remember, secure limits weren't even that available back then, and people have said, oh well, phones can just be completely compromised. Therefore, the thinking back then was that the laptop was stronger than the phone from a security standpoint, and I knew that was going to be wrong in the future. And boy, oh boy, okay, sometimes, I'll toot my horn. I was right to say that not all MFA are created equal, and the best MFAs are the ones that are certificate based using out of band on a phone. That turned out to be true. There's something that's interesting here in that there's some fallacies of thought that people still to this day - There are some people who think my work laptop is more secure than my phone, from the standpoint of holding a secret, and it's just it, everything now has secure elements, and it's the secure elements - - don't point at the device itself. It's the secure elements on the device that have changed. Therefore, you have to rethink where your secrets are being stored. So it's not just the strength of the secret, it's the strength of where the secret is stored.

Tim CallanSo in all fairness, in that regard, your laptop has gotten better?

Jason SorokoIt has. There was a period of time where that was not true. Windows 11.

Tim CallanProbably a lot of those, many of those still out there.

Jason SorokoRemember Windows 11 forced it. That's fairly recent. So, yes, we've entered a new era where everything's way more secure in terms of storing that critical secret. So, that to me, Tim, it's a short list, but that is the list of good in terms of good factors for multi good factor authentication.

Tim CallanThat’s good and I think that's good way to consider it.

Jason SorokoI think Tim, in the future, we're going to talk about how secure elements change the game but not only that, a lot of people might think, well, what happens if I'm now using my phone to do critical authentication itself without my laptop. Well, is that really, truly out of band? Am I trusting the end point being the phone? If I'm trusting the secret and the end point being in the same place is using that form factor on a smartphone, is that problematic? What I would say is secure elements changed that game. In other words, the user zone where you're doing the authenticating is separate from where the secret is stored, sufficiently that the bad guy can't really take advantage of the fact that the secret is adjacent to the authenticating. That was some cognitive dissonance people had. They simply didn't understand the way things worked.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!