ITS SINGLE STEP NOT FACTOR — clarifying more FIDO terminology
I keep seeing people mixing up terminologies about FIDO. Single step, single factor. Double step. etc. Here are some popular statements:
“One thing that I think confused the reviewer was that the key was doing biometric second factor even on sites that were using Fido as a single factor.” — https://twitter.com/LoginLlama/status/1457175107458277378
“How secure is FIDO2 compared to FIDO U2F and other 2FA solutions? Single factor login with FIDO2 offers strong authentication as a single factor.” — https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Guide/FAQ.html
“Should We Rush to Implement Password-less Single Factor FIDO2 based Authentication?” — https://ieeexplore.ieee.org/abstract/document/9099190/authors#authors
Factor vs Step
Factor is a one of pieces of evidence of user genuineness. There are three types of factors:
- Something you know — password
- Something you have — phone, fido security key
- Something you are — biometrics
In web security we combine two or more factors, to make identity theft harder. — Attacker stole your password? Now they need to get your device. etc.
The combination of multiple factors, password + security key, is what we call “multi-factor authentication”.
Step is user specific action.
When user logs in with their password and security key, this is a MULTI-FACTOR, and TWO STEP process. Type in password, one step, press security key, another step.
When user logs in with their biometric fido security key this is called MULTI-FACTOR, but ONE STEP authentication, because user just needs to touch biometric sensor. The security key does the rest.
Conclusion
Factors are evidence of user genuineness. The combination of multiple factors, evidences, in authentication called “Multi-factor authentication”
Steps are user behaviour metric. How many steps of authentication process has user performed in order to get logged in.
FIDO2 passwordless flow is ONE step but MULTI-FACTOR authentication.
U2F flow with passwords is TWO step, but still MULTI-FACTOR.
