Interesting read from Avery…

Multi-factor authentication remains hard-to-use, hard-to-secure, and error-prone. I’ve been studying authentication lately to see if it might be possible to adapt some security practices, especially phishing prevention, from big companies to small companies and consumers.

Here’s what I have so far.

What he’s really studying is the viability of second factors; the real issue is enrolling new users.

So here’s the catch. The whole multi-factor authentication thing is almost completely solved at this point. Virtually everybody has a phone already (anyway, more people have phones than computers), and any phone can store a secret key - it’s just a number, after all - even if it doesn’t have secure element hardware. (The secure element helps against certain kinds of malware attacks, but factor #2 authentication is still a huge benefit even with no secure element.)

The secret key on your phone can be protected with a PIN, or biometric, or both, so even if someone steals your phone, they can’t immediately pretend to be you.

And, assuming your phone was not a victim of a supply chain attack, you have a safe and reliable way to tell your phone not to authorize anybody unless they have your PIN or biometric: you just need to be the person who initially configures the phone. Nice! Passwords are obsolete! Your phone is all three authentication factors in one!

All true!

But… how does a random Internet service know your phone’s key is the key that identifies you? Who are you, anyway?

The thing about a previously-enrolled private key is you have to… previously… enroll it… of course. Which is a really effective way of triggering Inception memes. Just log into the web site, and tell it to trust… oh, rats.