[中英对照]什么是双因子认证(2FA)

Web应用开发 William 165浏览 0评论

Two-factor authentication (2FA), sometimes referred to as two-step verification or dual factor authentication, is a security process in which the user provides two different authentication factors to verify themselves to better protect both the user’s credentials and the resources the user can access. Two-factor authentication provides a higher level of assurance than authentication methods that depend on single-factor authentication (SFA), in which the user provides only one factor — typically a password or passcode. Two-factor authentication methods rely on users providing a password as well as a second factor, usually either a security token or a biometric factor like a fingerprint or facial scan.

Two-factor authentication adds an additional layer of security to the authentication process by making it harder for attackers to gain access to a person’s devices or online accounts, because knowing the victim’s password alone is not enough to pass the authentication check. Two-factor authentication has long been used to control access to sensitive systems and data, and online service providers are increasingly using 2FA to protect their users’ credentials from being used by hackers who have stolen a password database or used phishing campaigns to obtain user passwords.

双因子验证(2FA),有时又被称作两步验证或者双因素验证,是一种安全验证过程。在这一验证过程中,需要用户提供两种不同的认证因素来证明自己的身份,从而起到更好地保护用户证书和用户可访问的资源。双因子验证比基于单因子的验证方式提供了一种更高级别的保证。在单因子验证中,用户只需提供一种认证因子 —— 一般情况下是一个密码或者口令。双因子验证方式不仅需要用户提供一个密码,而且需要一个第二个因子,通常情况下这一因子会是一个安全令牌或者生物识别因子像指纹和面部扫描。

因为仅仅知道受害人的密码不足以通过认证检查,双因子认证通过增加攻击者访问用户设备和在线账户的难度的方式达到了为身份验证过程添加额外安全层的目的。双因子验证长久以来被用以控制敏感系统和数据的访问,在线服务商也越来越多地使用双因子验证来保护他们用户的数据,以防因为黑客盗取密码数据库或者利用网络钓鱼活动获取用户密码,导致用户证书被使用。

What are authentication factors?

There are several different ways in which someone can be authenticated using more than one authentication method. Currently, most authentication methods rely on knowledge factors like a traditional password, while two-factor authentication methods add either a possession factor or an inherence factor.

Authentication factors, listed in approximate order of adoption for computing, include:

  1. knowledge factor is something the user knows, such as a password, a PIN or some other type of shared secret.

  2. possession factor is something the user has, such as an ID card, a security token, a smartphone or other mobile device.

  3. An inherence factor, more commonly called a biometric factor, is something inherent in the user’s physical self. These may be personal attributes mapped from physical characteristics, such as fingerprints authenticated through a fingerprint reader; other commonly-used inherence factors include facial and voice recognition. It also includes behavioral biometrics, such as keystroke dynamics, gait or speech patterns.

  4. A location factor, usually denoted by the location from which an authentication attempt is being made, can be enforced by limiting authentication attempts to specific devices in a particular location, or more commonly by tracking the geographic source of an authentication attempt based on the source IP address or some other geolocation information derived from the user’s mobile phone or other device such as GPS data.

  5. A time factor restricts user authentication to a specific time window in which logging on is permitted, and restricting access to the system outside of that window.

身份认证的因素是什么?

人们在不同的情况下可以使用多种方法进行身份认证。目前,大多数身份认证方法依赖于像传统密码那样的认知因素,而双因素身份认证会添加持有物因素或特征因素。

认证因素按计算采用的近似顺序列举如下:

  1. 认知因素指用户所知道的事物,比如密码、PIN 码或其它类型的共享密钥。

  2. 持有物因素指用户拥有的东西,比如身份证,安全令牌,智能手机或其它移动设备。

  3. 特征因素,更多时候被称为生物识别因素,是用户自身固有的特性。这些可能是从物理特征映射出来个人属性,比如通过指纹阅读器认证的指纹;其它特征因素还包括面部识别和语音识别。此外还包括一些行为特征,比如击键力度,步态或语音模式。

  4. 位置因素,通常是指尝试认证时所处的位置,可以特定位置的特定设备来强制限定认证,更常见的方式是跟踪认证来源的 IP 地址或来源于移动电话或其他设备(如GPS数据)的地理信息。

  5. 时间因素限制用户在特定的时间窗口内认证登录,并在该时间之外限制对系统的访问。

It should be noted that the vast majority of two-factor authentication methods rely on the first three authentication factors though systems requiring greater security may use them to implement multifactor authentication, which can rely on two or more independent credentials for more secure authentication.

What is two-factor authentication?

Two-factor authentication is a form of multifactor authentication. Technically, it is in use any time two authentication factors are required to gain access to a system or service. However, using two factors from the same category doesn’t constitute 2FA; for example, requiring a password and a shared secret is still considered single-factor authentication, as they both belong to the same authentication factor — knowledge.

需要注意的是,绝大多数双因子验证方法依赖前三个验证因子,尽管更高安全性的系统可能会使用它们来实现多因子验证,多因子验证可以依赖两个或多个独立凭证来实现更安全的身份验证。

什么是双因子验证?

双因子验证是多因子验证的一种形式。技术上,凡是需要两个验证因子才能访问的系统或服务,就可以使用它。然而,使用同一类别的两个因子并不构成 2FA;例如:需要密码和共享密钥仍然被认为是单因子验证,因为他们都属于同一个验证因子 —— 知识。

As far as single factor authentication services go, user ID and password are not the most secure. One problem with password-based authentication is it requires knowledge and diligence to create and remember strong passwords. Passwords require protection from many inside threats, like carelessly stored sticky notes with login credentials, old hard drives and social-engineering exploits. Passwords are also prey to external threats, such as hackers using brute-force, dictionary or rainbow table attacks.

Given enough time and resources, an attacker can usually breach password-based security systems. Passwords have remained the most common form of single factor authentication because of their low cost, ease of implementation and familiarity. Multiple challenge-response questions can provide more security, depending on how they are implemented, and stand-alone biometric verification methods can also provide a more secure method of single-factor authentication.

就单因子验证服务而言,用户 ID 和密码不是最安全的。基于密码验证的一个问题是需要知识和努力来创建并记住强密码。密码需要保护免受很多内部威胁,像不小心留存的带有登录凭证的便签、旧的硬盘和社交工程漏洞。密码也容易收到外部威胁,比如黑客使用暴力、字典或彩虹表方式攻击。

如果给予足够的时间和资源,攻击者通常可以攻破基于密码的安全系统。密码仍然是单因子验证的最常见形式,因为它成本低、易于实现并且大家都很熟悉。多个质询-响应可以提供更高的安全性,这取决于它们是如何实现的,独立的生物特征验证方法也可以提供更安全的单因子验证方式。

Types of two-factor authentication products

There are many different devices and services for implementing 2FA — from tokens, to RFIDcards, to smartphone apps.

Two-factor authentication products can be divided into two categories: tokens that are given to users to use when logging in, and infrastructure or software that recognizes and authenticates access for users who are using their tokens correctly.

Authentication tokens may be physical devices, such as key fobs or smart cards, or they may exist in software as mobile or desktop apps that generate PIN codes for authentication. These authentication codes, also known as one-time passwords, are usually generated by a server and can be recognized as authentic by an authentication device or app. The authentication code is a short sequence linked to a particular device, user or account and that can be used once as part of an authentication process.

双因子认证产品的类型

有很多不同的设备和服务来实现 2FA —— 从令牌、RFID卡到智能手机应用程序。

双因子验证产品可以分为两类:登录时提供给用户使用的令牌,以及能正确识别和验证使用令牌用户的访问的基础设施或软件。

验证令牌可能是物理设备,如 key fobs 或 smart cards,或者它们可能存在于软件中,作为移动或桌面应用程序,生成用于身份验证的 PIN 码。这些验证码(也称为一次性密码)通常由服务器生成,可以通过身份验证设备或应用程序识别为可信任的。身份验证码是链接到特定设备、用户或帐户的短序列,可以作为身份验证过程的一部分使用。

Organizations need to deploy a system to accept, process and allow — or deny — access to users authenticating with their tokens. This may be deployed in the form of server software, a dedicated hardware server or provided as a service by a third-party vendor.

An important aspect of 2FA is ascertaining that the authenticated user is given access to all resources the user is approved for — and only those resources. As a result, one key function of 2FA is linking the authentication system with an organization’s authentication data. Microsoft provides some of the infrastructure necessary for organizations to support 2FA in Windows 10 through Windows Hello, which can operate with Microsoft accounts, as well as authenticating users through Microsoft Active Directory (AD), Azure AD or with FIDO 2.0.

组织需要部署一个系统来接受、处理并允许(或拒绝)用户使用令牌进行身份验证的访问。这可以以服务器软件、专用硬件服务器或第三方供应商提供的服务形式部署。

2FA 的一个重要部分是确定通过身份验证的用户获得了对所有被批准使用的资源的访问权 —— 并且只访问那些资源。因此,2FA 的一个关键功能就是将认证系统与组织的认证数据连接起来。微软通过 Windows Hello,提供了一些必要的基础设施,让组织机构可以通过 Windows 10 支持 2FA,它可以使用 Microsoft 帐户进行操作,也可以通过 Microsoft Active Directory (AD)、Azure AD 或 FIDO 2.0 对用户进行身份验证。

How 2FA hardware tokens work

Hardware tokens for 2FA are available supporting different approaches to authentication. One popular hardware token is the YubiKey, a small USB device that supports one-time passwords (OTP), public key encryption and authentication and the Universal 2nd Factor protocol developed by the FIDO Alliance. YubiKey tokens are sold by Yubico, Inc., based in Palo Alto, Calif.

When a user with a YubiKey logs into an online service that supports OTP, such as Gmail, GitHub or WordPress, they insert their YubiKey into the USB port of their device, enter their password, click in the YubiKey field and touch the YubiKey button. The YubiKey generates an OTP and enters it in the field.

The OTP is a 44-character, single-use password; the first 12 characters are a unique ID that identifies the security key registered with the account. The remaining 32 characters contain information that is encrypted using a key known only to the device and Yubico’s servers, established during the initial account registration.

The OTP is sent from the online service to Yubico for authentication checking. Once the OTP is validated, the Yubico authentication server sends back a message confirming this is the right token for this user. The 2FA is complete. The user has provided two factors of authentication: Their password is the knowledge factor, and their YubiKey is the possession factor.

2FA 硬件令牌如何工作

2FA 的硬件令牌支持不同的身份验证方法。一个流行的硬件令牌是 YubiKey,这是一个小型 USB 设备,支持一次性密码(OTP)、公钥加密、身份验证以及 FIDO 联盟开发的通用第二因子协议。YubiKey token 由位于加州帕洛阿尔托的 Yubico 公司销售。

当具有 YubiKey 的用户登录支持 OTP 的在线服务(例如 Gmail、GitHub 或 WordPress)时,他们将 YubiKey 插入其设备的 USB 端口,输入密码,单击 YubiKey 字段并触摸 YubiKey 按钮。YubiKey 生成 OTP 并在字段中输入。

OTP 是一个 44 个字符的一次性密码;前 12 个字符是一个唯一ID,用于标识在帐户中注册的安全密钥。剩下的 32 个字符包含的信息使用一个只有设备和 Yubico 服务器知道的密钥进行加密,这个密钥是在初始帐户注册期间建立的。

在线服务将 OTP 发送到 Yubico 进行身份验证检查。一旦 OTP 被验证,Yubico 身份验证服务器 将返回一条消息,确认这是该用户的正确令牌。2FA 验证过程就完成了。用户提供了两个身份验证因子:密码是知识因子,YubiKey 是占有因子。

Two-factor authentication for mobile device authentication

Smartphones offer a variety of possibilities for 2FA, allowing companies to use what works best for them. Some devices are capable of recognizing fingerprints; a built-in camera can be used for facial recognition or iris scanning and the microphone can be used for voice recognition. Smartphones equipped with GPS can verify location as an additional factor. Voice or Short Message Service (SMS) may also be used as a channel for out-of-band authentication.

Apple iOS, Google Android, Windows 10 and BlackBerry OS 10 all have apps that support 2FA, allowing the phone itself to serve as the physical device to satisfy the possession factor. Duo Security, based in Ann Arbor, Mich., and purchased by Cisco in 2018 for $2.35 billion, is a 2FA platform vendor whose product enables customers to use their trusted devices for 2FA. Duo’s platform first establishes that a user is trusted before verifying that their mobile device can also be trusted for authenticating the user.

移动设备身份验证的双因子认证

智能手机为 2FA 提供了多种可能性,允许公司使用最适合他们的产品。一些设备能够识别指纹;内置摄像头可用于面部识别或虹膜扫描,麦克风可用于语音识别。配备 GPS 的智能手机可以作为另一个因子验证位置。语音或短消息服务(SMS)也可以用作带外身份验证的通道。

Apple iOS,Google Android,Windows 10 和 BlackBerry OS 10 都有支持 2FA 的应用,允许手机本身作为物理设备来满足占有率。Duo Security 总部位于密歇根州安阿伯市,并于 2018 年以 23.5 亿美元的价格被思科收购,是一家 2FA 平台供应商,其产品让客户能够使用其可靠的设备获得 2FA。Duo 的平台首先确定用户是可信的,然后验证他们的移动设备也可以对用户进行身份验证。

Authenticator apps replace the need to obtain a verification code via text, voice call or email. For example, to access a website or web-based service that supports Google Authenticator, the user types in their username and password — a knowledge factor. The user is then prompted to enter a six-digit number. Instead of having to wait a few seconds to receive a text message, Authenticator generates the number for them. These numbers change every 30 seconds and are different for every login. By entering the correct number, the user completes the user-verification process and proves possession of the correct device — an ownership factor.

Is two-factor authentication secure?

While two-factor authentication does improve security — because the right to access no longer relies solely on the strength of a password — two-factor authentication schemes are only as secure as their weakest component. For example, hardware tokens depend on the security of the issuer or manufacturer. One of the most high-profile cases of a compromised two-factor system occurred in 2011, when security company RSA Security reported its SecurID authentication tokens had been hacked.

身份验证器应用程序取代了通过文本、语音呼叫或电子邮件获取验证码的需要。例如,要访问支持 Google 身份验证器的网站或基于网络的服务,用户会输入用户名和密码 —— 知识因子。然后提示用户输入六位数字。身份验证器不必等待几秒钟才能收到短信,而是为它们生成号码。这些数字每 30 秒更改一次,每次登录时都会有所不同。通过输入正确的数字,用户完成用户验证过程并证明拥有正确的设备 —— 所有权因子。

双因子认证是否安全?

虽然双因子认证确实提高了安全性 —— 因为访问权不再仅仅依赖于密码的强度 —— 双因子认证方案的安全性仅与最薄弱的组件一样。例如,硬件令牌取决于发行者或制造商的安全性。双因子系统收到损害的最引人注目的案例之一发生在 2011 年,当时安全公司 RSA Security 报告其 SecurID 身份验证令牌遭到黑客入侵。

The account-recovery process itself can also be subverted when it is used to defeat two-factor authentication, because it often resets a user’s current password and emails a temporary password to allow the user to log in again, bypassing the 2FA process. The business Gmail accounts of the chief executive of Cloudflare were hacked in this way.

Although SMS-based 2FA is inexpensive, easy to implement and considered user-friendly, it is vulnerable to numerous attacks. NIST has deprecated use of SMS in 2FA services in its Special Publication 800-63-3: Digital Identity Guidelines. NIST concluded that one-time passwords sent via SMS are too vulnerable due to mobile phone number portability, attacks like the Signaling System 7 hack against the mobile phone network and malware like Eurograbber that can be used to intercept or redirect text messages.

当在帐户恢复的过程中使用了失败的双因子验证也会颠覆恢复过程,因为它通常会重置用户的当前密码并通过邮件发送临时密码来允许用户重新登录,从而绕过2FA流程。CloudflareCEO的业务Gmail帐户就遭受过黑客这种方式的入侵。

虽然基于SMS的2FA成本不高,易于实现,而且对用户很友好,但是也容易受到大量攻击。NIST在其特殊出版物800-63-3:数字身份指南中反对在2FA服务中使用SMS。NIST认为由于手机号的可移植性,通过短信发送的一次性密码太过脆弱,像信令系统7这种黑客攻击移动电话网络,像Eurograbber这种恶意软件可以拦截或重定向文本信息。

div.column{width:49.5%;display:table-cell;border:1px solid #d4d4d5;}


via:oschina

转载请注明:AspxHtml学习分享网 » [中英对照]什么是双因子认证(2FA)

发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址