Rethinking factors, and(not) to store oracles presented at passwords 2015

by Jeffrey Goldberg,

Summary : Multi-factor Authentication is typically thought of in terms of "something you have", "something you know", "something you are". But those distinctions are only useful in so far as they tell us what different kinds of threats the factors are or aren't vulnerable to. It is far more useful to think directly in terms of the threats that they do and don't defend against when considering what factors to introduce.
For example different factors might better be thought of in terms of "something that can be stolen", "something that can be guessed", and "something that can be captured and replayed". At the same time, adding factors is a threat to data availability and can be thought of in terms of "something that might be lost" and "something that might be forgotten".
Whether to add factors and how it should be done should be thought of in this light. In particular, we are exploring in a work in progress how user factors can be added so that server stored data cannot be used for password cracking.
We would like to discuss some of our work in progress in this area both explaining our thoughts and seeking insights from participants.