Comment by yardstick
2 days ago
Presumably at some point in your environment you are doing MFA? Just not at every step?
Ie If someone broke into your office, opened computer, inserted the hardware security key, would they get in? Or is there something else non-physical going on? Like the initial login is password + security key, and you can demonstrate the ssh keys never leave the secured PCs etc.
It is not about MFA or not but to demonstrate the process is secure for the purpose.
It can be complicated but a example. TOTP that is very common used with passwords is regarded as MFA (tho most of the time software based on phone) but have many problems regardless
- many time replayable - can be intercepted - implementations look different - recovery code reuse problems etc.
On the other hand, using only passkeys dont have those problems but with passkeys, many times you cannot decide on what device a user have registrated the passkeys in a enterprise setting. example they could be apple passkeys, chrome passkeys, windows, hardware key(yubikey) etc and all of them behave different when it comes how they ex can be copied/ synced between users devices. So from where they can be used.
So for any authentication flow, you need to look at the full picture. What is the process when credentials are lost? How do user onboard etc.
Is a good entry point to say. We should use MFA or similar but the details matter.
It’s always interesting to hear other people’s approaches- Thanks for the insights!