Please enable JavaScript.
Coggle requires JavaScript to display documents.
Multi-Factor Authentication (MFA) - Coggle Diagram
Multi-Factor Authentication (MFA)
MFA Technologies and Implementations
Time-Based One-Time Password (TOTP)
Algorithm and Working
HMAC-based generation
Time synchronization
30-60 second validity window
RFC 6238 standard
Applications
Google Authenticator
Microsoft Authenticator
Authy
FreeOTP
SMS-Based Authentication
Mechanism
OTP delivery via text message
Mobile number verification
Session-based codes
Security Concerns
SIM swapping attacks
SS7 protocol vulnerabilities
Interception risks
Not recommended by NIST
Hardware Tokens
Types
USB security keys (YubiKey)
Smart cards
Disconnected tokens
Connected tokens
Standards
FIDO Universal 2nd Factor (U2F)
FIDO2/WebAuthn
PKI-based authentication
Biometric Authentication
Fingerprint Recognition
Capacitive sensors
Optical sensors
Minutiae-based matching
Template storage security
Facial Recognition
2D vs 3D recognition
Liveness detection
Deep learning models
Apple Face ID technology
Iris and Retina Scanning
High accuracy rates
Unique pattern recognition
Enterprise applications
Behavioral Biometrics
Keystroke dynamics
Gait analysis
Mouse movement patterns
Continuous authentication
Push Notifications
Mobile app-based approval
Context-aware authentication
Real-time verification
Examples: Duo Push, Microsoft Authenticator
Location-Based Authentication
GPS verification
IP address validation
Geofencing
Contextual access control
Implementation Standards and Protocols
5.1 NIST Guidelines
NIST SP 800-63B
Authenticator assurance levels
Memorized secret requirements
Out-of-band authenticators
Biometric guidelines
5.2 FIDO Alliance Standards
FIDO U2F (Universal 2nd Factor)
Public key cryptography
Hardware-based authentication
FIDO2 (WebAuthn + CTAP)
Passwordless authentication
Platform authenticators
Roaming authenticators
5.3 OAuth 2.0 and OpenID Connect
Authorization framework
Token-based authentication
Federated identity management
Single Sign-On (SSO) integration
5.4 SAML (Security Assertion Markup Language)
XML-based authentication
Enterprise SSO
Identity Provider (IdP) trust
Cryptographic Foundations
3.1 Hash Functions in MFA
SHA-256, SHA-3
HMAC (Hash-based Message Authentication Code)
Password hashing (bcrypt, Argon2)
Salt and pepper techniques
3.2 Public Key Cryptography
RSA in authentication
Elliptic Curve Cryptography (ECC)
Digital signatures
Certificate-based authentication
3.3 Challenge-Response Protocols
CHAP (Challenge Handshake Authentication Protocol)
Kerberos authentication
OAuth 2.0 framework
OpenID Connect
3.4 Token Generation Algorithms
HOTP (HMAC-based OTP) - RFC 4226
TOTP (Time-based OTP) - RFC 6238
Seed value management
Counter synchronization
Fundamentals of Authentication
Authentication Factors
Knowledge Factors (Something You Know)
Passwords
Passphrases
PINs
Possession Factors (Something You Have)
Hardware tokens
Smart cards
Mobile devices
Inherence Factors (Something You Are)
Fingerprint recognition
Facial recognition
Iris scanning
Voice recognition
Behavioral biometrics
Definition and Purpose
Security layer beyond passwords
Reduces unauthorized access risk
Access control mechanism
Identity verification process
Single-Factor vs Multi-Factor
Single-Factor Authentication (SFA) vulnerabilities
Multi-Factor Authentication advantages
Defense-in-depth principle
Layered security approach
Security Threats and Vulnerabilities
4.1 Social Engineering Attacks
Phishing for MFA Codes
Real-time phishing
Man-in-the-middle proxies
Evilginx framework exploitation
Vishing (Voice Phishing)
Phone-based manipulation
Help desk impersonation
MFA Fatigue Attacks
Push notification bombing
User annoyance exploitation
Acceptance under pressure
4.2 Technical Attacks
Session Hijacking
Cookie theft
Token replay attacks
Session fixation
Man-in-the-Middle (MitM)
Proxy-based interception
SSL stripping
ARP spoofing
SIM Swapping
Mobile number porting
Social engineering carriers
SMS OTP interception
Brute Force Attacks
OTP prediction attempts
Weak token generation
Time window exploitation
4.3 Biometric Spoofing
Fingerprint replication (gummy fingers)
Facial recognition bypass (photos, masks)
Deepfake technology threats
Liveness detection evasion
4.4 Malware-Based Attacks
Keyloggers
Screen capture trojans
Mobile malware (Trojan.AndroidOS.Brata)
Banking trojans with overlay attacks
4.5 Bypass Techniques
Account recovery exploitation
Backup codes theft
Administrator privilege abuse
Legacy authentication protocols