Solidly-Configured 2FA is Stronger than Poorly-Configured 3FA
2FA is over. Long live 3FA!
I am agreeable with this author that 2FA solutions in the current form of implementation are no longer sufficiently reliable. I would like to progress this discussion further by adding the following observations.
Firstly, 3FA should be deployed in ‘MULTI-LAYER’ formation, not in ‘Multi-Entrance’ formation lest 3FA should only provide the security lower than 2FA, as discussed yesterday in “Not just Strong but also Practicable” https://www.linkedin.com/posts/hitoshikokumai_democracy-privacy-ethics-activity-6986582811524694016-ZhxZ
Secondly, that it lasts only seconds or minutes is just one of the features of a onetime password. More important is that it only proves the authenticity of the device (token/phone) which generates or receives the onetime password. It does not tell in whose hand it is held.
That is, the onetime password belongs to ‘what we possess’, not ‘what we remember’ in view of the identity authentication. It would not be wise if ‘what we remember’ is removed for bringing in ‘what we possess’ instead, as discussed in this blog collection — “LOSS of Security Taken for GAIN of Security” https://www.linkedin.com/pulse/loss-security-taken-gain-hitoshi-kokumai/
Our solution to these problems ‘2-Channel Expanded Password System’ is presented on Page 28 of “Fend Off Cybercrime with Episodic Memory” https://www.slideshare.net/HitoshiKokumai/slide-share-updated-fend-off-cybercrime-with-episodic-memory-29aug2022
What if random onetime numbers or characters are allocated to each image on the matrix shown on a user’s second device. Recognizing the registered images, the user will feed these numbers or characters on a main device. From those onetime data, the authentication server will tell the images that user is supposed to have registered as the credential.
All that is needed at the users’ end is just a web browser on a second device. With all different sets of images for all different accounts, a single phone can readily cope with dozens of accounts without creating a single point of failure. This is not a hypothesis. We actually have a use case of commercial implementation.
Well, this solid 2FA solution was announced in 2007 and commercially implemented in 2012, which tells that we had anticipated the issues that this author has picked up, and had acted on it 15 years ago.
Digital identity blogs collected at https://www.linkedin.com/pulse/collection-digital-identity-comments-hitoshi-kokumai-posted-kokumai/