Paper 2024/935

MFKDF: Multiple Factors Knocked Down Flat

Matteo Scarlata, ETH Zurich
Matilda Backendal, ETH Zurich
Miro Haller, University of California, San Diego
Abstract

Nair and Song (USENIX 2023) introduce the concept of a Multi-Factor Key Derivation Function (MFKDF), along with constructions and a security analysis. MFKDF integrates dynamic authentication factors, such as HOTP and hardware tokens, into password-based key derivation. The aim is to improve the security of password-derived keys, which can then be used for encryption or as an alternative to multi-factor authentication. The authors claim an exponential security improvement compared to traditional password-based key derivation functions (PBKDF). We show that the MFKDF constructions proposed by Nair and Song fall short of the stated security goals. Underspecified cryptographic primitives and the lack of integrity of the MFKDF state lead to several attacks, ranging from full key recovery when an HOTP factor is compromised, to bypassing factors entirely or severely reducing their entropy. We reflect on the different threat models of key-derivation and authentication, and conclude that MFKDF is always weaker than plain PBKDF and multi-factor authentication in each setting.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Published elsewhere. Minor revision. USENIX SECURITY 2024
Keywords
cryptanalysiskey derivationmulti-factor authenticationPBKDF
Contact author(s)
matteo scarlata @ inf ethz ch
mbackendal @ inf ethz ch
mhaller @ ucsd edu
History
2024-07-26: revised
2024-06-11: received
See all versions
Short URL
https://ia.cr/2024/935
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/935,
      author = {Matteo Scarlata and Matilda Backendal and Miro Haller},
      title = {{MFKDF}: Multiple Factors Knocked Down Flat},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/935},
      year = {2024},
      url = {https://eprint.iacr.org/2024/935}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.