Ask HN: Are SSH keys with passphrases considered 2FA?

Y	Hacker News new \| ask \| show \| jobs

3 points by h43z 299 days ago

It could be argued that from the servers perspective only one thing was provided, so it's not 2FA.

Then what about ssh keys AND user/password authentication?

Like this sshd_config

  PasswordAuthentication yes
  PubkeyAuthentication yes
  AuthenticationMethods publickey,password

I guess it boils down to if one thinks ssh keys are something you know or something you have? The passphrase and password is very clearly something I know.

I'd like to hear your thoughts.

1 comments

theandrewbailey 299 days ago

If the server login needs a key and password (separate from the password to encrypt your private key), yes that's two factor: the server sees something you know and something you have. I worked on a platform (Salesforce B2C Commerce Cloud) that sometimes used WebDAV with HTTP basic auth and HTTPS client certificates (combined), and that was considered two factor authentication. I don't see how that's totally different from this SSH setup.

link