Search code examples
authenticationsecuritymulti-factor-authentication

What operations are critical to protect with an OTP/MFA to ensure that an OTP/MFA itself is not pointless?

An OTP (TOTP, SMS, email whatever) provides an additional check in order to authenticate.

What MINIMUM SET of operations should be protected by the OTP check to ensure the additional authentication check is not pointless?

My starting list is:

  • Login
  • Remove or modify OTP protection
  • Modify email address
  • Change password

Is my list overboard or incomplete (as a minimum set)?

Solution

  • After implementing and experimenting with MFA in our application, this is my conclusion. The minimum set of operations that should be protected by MFA once it has been set up are:

    • Login
      • This is a big catchall to protect all account operations by having to go through at least one MFA check.
    • Removal of MFA (additional check after login)
      • Obvious. We protect removal of MFA during an unattended logged in session.
    • Changing of email address or any identifier used for logging in (Additional check after login).
      • This is critical to prevent the account effectively being moved to different ownership.

    We found that password reset/update was not actually a desirable operation to be protected with MFA. Reset required access to the account email address and update required knowledge of the existing password.