What is MFA? (The highly technical in-depth explanation)

General
1

Brief

Due to the fragmentation of the many posts across this forum and the mixture of terms I used to try and simplify explaining this to non-technical users. I’m writing this post to try and clear up a few things.

  1. What MFA/passkeys are in general
  2. What MFA/passkeys are in discourse (and why passkeys are not sufficient)
  3. What is being enforced

Here is a video that shows how to use a password manager with TOTP/Passkeys:

Unfortunately Streaming doesn’t work

What is MFA/Passkeys (In General)

MFA

MFA (or Multi-factor Authentication) is an authentication protocol that aims to prove you are who you claim to be. There are 3 factors

  • Something you know (pin/password/shared secret)
  • Something you have (Private key/USB key/phone/etc)
  • Something you are (biometric/fingerprint/faceid)

The goal of MFA is to make a stronger proof of your claim that you are who you claim you are. Many people (including myself in the past) think that separation is the main goal. But in fact the main goal is to satisfy 2 or more of the 3 factors.

This is why you can combine the factors in 1 step for convenience.

Passkeys

Passkeys are a protocol that wraps MFA inside it’s package. Passkeys also include 2 more things that make them more secure.

  • Fido2 Credential (A Secret assymetric key used for signing cryptographic challenges)
  • Intentionality (a requirement is you intending to authenticate, needing to interact)

The Fido 2 credential works like so, (I am going to simplify, and gloss over some of the details)

Note: the url of the browser, play a role in the signing stage of this exchange, this makes phishing your FIDO2 Credential impossible.

  • When you request signing in, the website sends you a nonce (non-secret string of characters)
  • Your private key will sign that challenge and send the encrypted form back
  • The website (who has the public component of your key) will decrypt the signature, proving only you could have requested sign in.

Intentionality adds that you have to prove you are present, and want to authenticate. This can be presenting a biometric, pressing a button, or selecting an option in a list.

So in the end, passkeys have the 3 things:

  • MFA
  • FIDO2 Credential
  • Intentionality

This is what makes passkeys so secure and resistant to phishing.

How does passkeys/MFA differ with Discourse?

Discourse does not correctly implement MFA with passkeys.
Typically, when you configure passkeys, it becomes you MFA, you would no longer be able to sign in without a passkey.
Discourse allows you to still login with just a username/password even when you have a passkey, completely defeating the purpose of the passkey.
This is why when MFA is being enforced, you must at a minimum setup TOTP.

Discourse, doesn’t consider passkeys a form of MFA, and doesn’t prevent you from logging in, without MFA.

What is being enforced?

  • TOTP is being enforced.
  • Passkeys will remain optional, though I do encourage their use because they’re easier to use, and much more secure.
3 Likes