[ibgib]

I'm looking forward to more genuine MFA. For my site, I'm experimenting with the ability to identify yourself with as many email address identities as you want (in the future the plan is to add more types including oauth, sms, etc.). If you're a regular person, you can just use one. If you're cagey, maybe two or three. Straight up paranoid, how about 10?

The point is that you are basically using an extensible claims-based approach to identity to create "aggregate identities". In the case of a beginner user, it just looks like "my account". More advanced users can add more security as necessary.

[Sargos]

So instead of hacking 1 email/account they would just hack 2 or 3? I don't think that is adding any real security as those accounts would still just be protected by regular passwords. It makes it a tad bit harder for a hacker but not prohibitively so, because if they got the credentials to your first account then the others are probably not too much harder.

The real power of 2FA is having the code generated by you, the human, via your hardware device or software physically controlled by you and not another automated machine.

[ibgib]

> So instead of hacking 1 email/account they would just hack 2 or 3? I don't think that is adding any real security as those accounts would still just be protected by regular passwords. It makes it a tad bit harder for a hacker but not prohibitively so, because if they got the credentials to your first account then the others are probably not too much harder.

That's certainly one of the thoughts that I had originally! But if you look at the details, perhaps it will become a bit clearer for you: Each of my email accounts are themselves protected by 2FA, so "those accounts" are not just "protected by regular passwords".

You can have email accounts with multiple email providers, e.g. gmail, outlook, etc. So, depending on how your email account gets compromised, this gives you additional layering of security. If mail provider X has a security breach, no big deal, because you also are using provider Y.

More generally, this can be seen with any factor in authentication, i.e. a claim. If any claim X is compromised, by any particular attack vector, then you also have Y, Z, etc. in play, depending on your security vs. convenience configuration.

And as I stated, email is only one of the avenues used to provide evidence for a claim. In the future, Oauth(2) tokens, sms, etc. The point is that it's an extensible mechanism for genuine MFA, instead of hard-coding in the "2" in 2FA. And that diversity is where the "real power" of multi-factor authentication comes into play.

[Sargos]

This really does just seem like 2FA with extra steps.

You can't add N factors to multi factor authentication by adding more accounts. That's just lightly strengthening the first factor (something you know which is a few different accounts) with a splattering of the second factor (those accounts rely on something you have such as your phone). The third factor of something you are doesn't even come into play in this solution.

Having 2FA set up for the account in question makes it reasonably secure. Relying on a second account that also has 2FA enabled does not make it twice as secure. It might make it slightly more secure but not by a lot. It's even likely that the second account is using the same device for the second factor as the first account which negates any added security.

The best you can do in a scheme like this is shift the trust based security to second entity. It's the same level of security but just handled by something you might trust more. (Google/Facebook vs some random website I had to make an account for).

[ibgib]

> Relying on a second account that also has 2FA enabled does not make it twice as secure.

This is an absurd statement that I didn't imply, but perhaps you inferred?

> The third factor of something you are doesn't even come into play in this solution.

As I've said, the point is to allow for additional claims to be given. "Something you are", i.e. biometrics, is certainly "in play" in this solution. It is yet another claim to add to establish an identity. The point is that the identification is extensible, and that it's left to the end user to make the opinions that you're depicting rather insouciantly as some kind of "absolute truth", when what we're actually talking about is trade-offs with security vs. convenience, as well as defense-in-depth.

> It's even likely that the second account is using the same device for the second factor as the first account which negates any added security.

You're assuming that the attack vector is only at the end device. Of course diversification of hardware like a keyfob or smart card is an added layer of defense. But that doesn't mean that there is no value in multiple identities from the same device. It all depends on the specifics of how your device is compromised, or even if it's your device that is compromised in the first place. As I said, what if you have a single email address hacked or a single email (or oauth, or sms, or whoever) has a data breach?

> The best you can do in a scheme like this is shift the trust based security to second entity.

Creating your own user/pass scheme, or your own oauth server is certainly one of the options we have, so again this is not "shifting to a second entity".

I'm wondering if this is just trolling at this point? You're making simply outlandish remarks with numerous assumptions and with little regard to what I'm actually saying.