Most MFA Providers are no longer PCI compliant

28 Feb 2017 · PCI Compliance

In order to accept credit cards, many* merchants need to meet PCI (Payment Card Industry) requirement 8.3, which mandates the use of MFA (Multi-Factor Authentication).  MFA typically uses an app, fingerprint, or SMS message in addition to a password for authentication. Most products that advertise MFA for PCI compliance actually provide 2-step authentication (2SA), which doesn't meet the PCI requirements -- and most of the 24 companies surveyed for this article didn't know this.  

A list of compliant and non-compliant products are listed at the bottom of this page.

Full disclosure: ThreeShield Information Security Corporation employs PCI-certified consultants, but does not have any resale, referral, advertising, or other endorsement relationships with any of the listed MFA or 2SA providers. 

*The requirement for MFA does not apply to merchants that use an iframe or redirect to a third-party for all credit-card transactions.


Background

Most systems still use passwords to authenticate the user logging in.  Unfortunately, passwords are often compromised through viruses, security breaches, and email scams.  You can see how many of your accounts have been compromised through tools like haveibeenpwned.com. Since those without password managers like LastPass often reuse their passwords, one compromised account can lead to many others.  For these reasons, security experts encourage people to authenticate with more than just a password* and to use two or more categories of authentication: something you know (like a password), something you have (like a security token or a phone), and something you are (like fingerprint readers).  This is called Multi-Factor Authentication or MFA.

*Ideally, we would replace passwords altogether, but that's a topic for another article.


Two-Factor Authentication or One?

One of the benefits of MFA is that someone trying to break into your account needs to use two different methods to log in.  If you have two items in one category (or factor), such as something you know, then they can likely be stolen the same way.  As such, two passwords are still considered one factor.  

Similarly, if you use a password and an SMS text message to log in to a website, but you get your SMS messages get sent to your email and you only use a password to get to your email, an attacker could log in with just two passwords (assuming that your website password and email password are different).  In that case, you really only have one factor.


Multi-Factor Authentication vs. Two-Step Authentication
(MFA vs 2SA)

Splitting multiple authentications into two steps makes it a lot easier to break.  If an attacker is told which factor was wrong, they can work on one factor (such as a password) until they get it and then work on defeating the second factor like a series of numbers generated by a tool like Google Authenticator or sent by text message.  In some cases, these numbers can be guessed before they expire or change.

When an attacker needs to guess a password and an ever-changing generated number at the same time, the attack gets a lot more difficult and less likely to succeed.   For this reason, the Payment Card Industry (PCI) reinforced the distinction between these two concepts in their February 2017 guidance and an email sent to certified PCI professionals in July 2016.  Two-step authentication (where the second factor is only requested if the first factor is correct) does not meet PCI's definition of MFA.  


Most MFA companies don't provide MFA

After the PCI guidance was publicly issued, I asked all of the "Multi-Factor Authentication" vendors at the February 2017 RSA security conference. Not a single salesperson understood the difference between Multi-Factor Authentication and Multi-Step Authentication. Most were actually proud that they didn't bother users with a second factor if they got their passwords wrong! Given the possibility that representatives at the conference might have been salespeople with limited knowledge, we followed up with 24 different vendors that purported to be PCI-compliant MFA providers.
 

MFA Vendor Summary


Here are the results:
(accurate as of February 28,2017; we are still waiting for responses from 7)

Companies that provide true MFA

Auth0

NetIQ

Okta - The default configuration does not provide true MFA. However, a custom portal can be made with the tool to provide true MFA.

Optimal IDM

RSA SecureID - The most well-known (and expensive) offering. They've done it right from the beginning when their only offering was a hardware token that generated a code that could be appended to a password.

SecureAuth

TeleSign - provides an authentication service that can be customized by the developer. So 2FA vs MFA depends on implementation.


Companies that are changing their offering to provide true MFA (and know the difference)

We admire these companies and their initiative to do the right thing:

ClearLogin - A small and agile company that should have true MFA by March 2017


Companies that claim to provide MFA, but actually only provide 2-Step Authentication

AuthAnvil

Authy

Bomgar

CrossMatch - True MFA may be possible with a custom integration. In my conversation with this company, the rep said that they researched the topic and found that PCI DSS didn't require true MFA. (We provided them with the appropriate PCI documentation)

Duo - This company is a big name in the space. They talk about new PCI changes, but missed this one. Every person I talked to at Duo was very proud not to bother users with a second factor if it wasn't needed.

Microsoft Azure - This approach is consistent with Microsoft's key competitor, Google. However, Microsoft should follow Google's lead and be honest about it.

Ping

StormPath

UNLOQ - UNILOQ works with WordPress, which is clear able using 2-step instead of 2-factor.   UNLOQ actually contacted us to be added to this list.  Initially, they were in the "inconsistent" group because their website uses 2-step and 2-factor interchangeably.  However, after a few follow-ups, we confirmed that they are only 2-step.


Companies that were inconsistent on the topic

Please contact us if you find out the truth about the following companies.  Their sales people claimed to that they provide true MFA.  However, the supporting documentation they provided indicated that they only provide 2-step authentication.  Follow-up calls provided inconsistent results.

Centrify


Companies that are upfront with their 2-step authentication

Google They were one of the first to use the term, "2-step authentication." It's still better than nothing, but not adequate for PCI.


Please contact us with suggestions for the above lists

Hopefully, this list will change over time.  If you have any corrections or suggestions, please contact us.