hello community,

the process of receiving the secret for MMFA is accessing it online with a softer credential (User/Password e.g). From perspective of security the secrets rollout is one of the major issues in terms of strength. What is needed here is a process of issuing the secret offline via Letter or personal attention to make sure the recipient is the one we want to adress. We've done that for TOTP secrets so far but I'm not sure whether ist works for the MMFA secret in the same way. TOTP is just without any communication between the Authenticator and the Server, while using MMFA includes some communication between the App and the Server. 

Anny hints or confirmation that we can use it in the same way?

Thanks,
Jens

------------------------------
Jens Petersen
------------------------------

Hi Jens,

Yes, you can implement an MMFA solution with offline letters.
When you are talking about MMFA you seem to have in mind the IBM app, which uses OAuth beneath the hood. But that is not the only way of working. You could also implement an MMFA solution which uses TOTP.
You have to keep in mind that with TOTP you exchange the seed for the TOTP algorithm, which does not change in time. If someone has a copy of this initial communication he can generate the same TOTP codes as you.
OAuth in contrast uses an authorization code which is only temporary to exchange access and refresh tokens. So after this initial exchange has been done the authorization code is no longer valid.
This initial exchange of the authorization code can also be done via postal letter. In that case you just have to set the validity period of the authorization code long enough for the letter to arrive. So we are talking days and not the 300 seconds which are the default on ISVA. But it will still be more secure than TOTP as the authorization code will be invalidated after the initial exchange of AT and RT.
The great advantage of TOTP is that it is not dependent on a network connection (phone or internet). But you have to enter the code manually in your application where you want to log in. If you want the user to be able to confirm the login with the push of a button you will always need a network connection so an OAuth based solution is better.

Kind regards,

Laurent

------------------------------
Laurent LA Asselborn
------------------------------

Original Message:
Sent: Tue July 26, 2022 04:32 AM
From: Jens Petersen
Subject: MMFA Secret aas offline Letter

hello community,

the process of receiving the secret for MMFA is accessing it online with a softer credential (User/Password e.g). From perspective of security the secrets rollout is one of the major issues in terms of strength. What is needed here is a process of issuing the secret offline via Letter or personal attention to make sure the recipient is the one we want to adress. We've done that for TOTP secrets so far but I'm not sure whether ist works for the MMFA secret in the same way. TOTP is just without any communication between the Authenticator and the Server, while using MMFA includes some communication between the App and the Server. 

Anny hints or confirmation that we can use it in the same way?

Thanks,
Jens

------------------------------
Jens Petersen
------------------------------

Hi Laurent,

thanks for the explanation, the clearifieys things. I noticed that the code using the app had a short lifetime but didn't realize it uses OAuth. As you pointed out TOTP has some disadvantages in terms of security and als, at least for my feeling, typing a number manually from one device to a screen on another device is a bit out of time. Also you can't transmit the information regarding the transaction you want to confirm with the code, so with a xss attack or even with phishing it should easily be possible to gain access. That still is depending on the coding and handling of security headers, but in my experience it's hard to convince developers having a deeper understanding of those things, even more when they just start using angular. So I'd prefer the APP and also implement RBA using browser profile. Best way would be FIDO2 token but then that needs the logistic overhead for rollout and costs for token.

Anyway your suggestion and the hint to OAuth helps a lot 
Thanks,
Jens






------------------------------
Jens Petersen
------------------------------

Original Message:
Sent: Wed July 27, 2022 02:55 AM
From: Laurent LA Asselborn
Subject: MMFA Secret aas offline Letter

Hi Jens,

Yes, you can implement an MMFA solution with offline letters.
When you are talking about MMFA you seem to have in mind the IBM app, which uses OAuth beneath the hood. But that is not the only way of working. You could also implement an MMFA solution which uses TOTP.
You have to keep in mind that with TOTP you exchange the seed for the TOTP algorithm, which does not change in time. If someone has a copy of this initial communication he can generate the same TOTP codes as you.
OAuth in contrast uses an authorization code which is only temporary to exchange access and refresh tokens. So after this initial exchange has been done the authorization code is no longer valid.
This initial exchange of the authorization code can also be done via postal letter. In that case you just have to set the validity period of the authorization code long enough for the letter to arrive. So we are talking days and not the 300 seconds which are the default on ISVA. But it will still be more secure than TOTP as the authorization code will be invalidated after the initial exchange of AT and RT.
The great advantage of TOTP is that it is not dependent on a network connection (phone or internet). But you have to enter the code manually in your application where you want to log in. If you want the user to be able to confirm the login with the push of a button you will always need a network connection so an OAuth based solution is better.

Kind regards,

Laurent

------------------------------
Laurent LA Asselborn

Original Message:
Sent: Tue July 26, 2022 04:32 AM
From: Jens Petersen
Subject: MMFA Secret aas offline Letter

hello community,

the process of receiving the secret for MMFA is accessing it online with a softer credential (User/Password e.g). From perspective of security the secrets rollout is one of the major issues in terms of strength. What is needed here is a process of issuing the secret offline via Letter or personal attention to make sure the recipient is the one we want to adress. We've done that for TOTP secrets so far but I'm not sure whether ist works for the MMFA secret in the same way. TOTP is just without any communication between the Authenticator and the Server, while using MMFA includes some communication between the App and the Server. 

Anny hints or confirmation that we can use it in the same way?

Thanks,
Jens

------------------------------
Jens Petersen
------------------------------