Beyond MFA: Rethinking the Authentication Key

2021-05-13 15:39

Physical security keys introduce a new twist to 2FA. Instead of using a code delivered to your phone, the hardware-based key is a dongle you insert into your company laptop or other registered access device.

The private key remains on the device, while the public key is sent to the site with which it is registered.

Finally, there's the human factor: Who hasn't ever lost or misplaced their keys? In that event, the authentication key would need to be terminated and a new one ordered.

The strong authentication actions operate between the key and the RP, with the browser passing messages along and adding context.

This innovation allows the smartphone to be "Paired" with the browser over this channel just as a physical key is "Paired" with the browser over USB. The result is a phish-proof solution using the smartphone as the key.

Deployed correctly, an authentication strategy that replaces hardware keys with a smartphone-based approach using the FIDO2 standard can eliminate the risk posed by MFA-bypass techniques, without compromising on convenience.

News URL

https://threatpost.com/mfa-rethinking-authentication-key/166136/

#authentication #MFA