#multiauthority

Multi-factor authentication has been pretty effective to date for protecting accounts. Probably the most recognizable second factor (to the general population) has been one-time passwords (OTPs) or those short term PINs found in RSA tokens. Various groups such as E-Trade and even Blizzard have deployed a form of these tokens, where authentication relies on your actual username/password combined with the current code on the token's display. Other organizations such as Google have come up with their own second-factor OTP solution based on SMS.

With multiple authentication factors, if an attacker should defeat one scheme, then the other scheme(s) would still be able to protect the user. For example, when hackers stole RSA's master secrets back in 2011, they didn't automatically gain access to the accounts of every RSA token user. Security may have weakened, but access still depended on other factors (typically the original passwords of individual users).

The RSA breach also demonstrates that compromising an authority is basically equivalent to compromising the authentication factors that it represents. The factors in use wouldn't matter, since hackers could theoretically have the power to steal passwords, generate new tokens, or reassign biometric signatures, among other mischief.

Sadly, no authority is invincible, and anyone who says otherwise is just trying to sell you something. Authentication services are obviously juicy targets because of the potential scale of the payoff (for the hacker). They are also arguably easier to break than any well-studied authentication scheme. A typical authentication service presents a larger "attack surface" because it involves more people and complicated internal machinery. Therefore, every authority must have a procedure to respond to their own worst-case scenario. (If they don't, then you should be alarmed, if not wary!)

Multiple authorities can save the day when credentials become unsafe, whether due to a compromised authority or due to direct theft from a user. Instead of one organization taking on the awesome responsibility of securing every user's identity, multiple strong identity authorities would share the burden. That way, hackers would need to attack on multiple simultaneous fronts, and authorities would be able to catch each other when one should stumble. In a true multi-authority scenario, nobody is the weakest link, because we are all in this together, as part of one powerful, pro-active, self-repairing link.

Independent sites/services are better off sharing the authentication burden for more practical reasons as well. An end-user service shouldn't need to invest the engineering and support to manage their own authentication schemes. They may depend on secure identification, but unless they specialize in security, they have their own products/services to deal with! Furthermore, if each organization had its own token, your pockets would eventually be overflowing with blinking, battery-powered dongles next to a fistful of traditional keys.

We're not just talking about giving users a choice of authorities. We're talking about requiring verification from multiple sources to log in (at the very least, one other source). Obviously, passwords will be a nuisance for multiple-authority verification. Fortunately, this current generation of authentication schemes (like LastPass, YubiKey, Persona, OneID, and CryoKey) make authentication so simple, checking against multiple authorities should have minimal impact on the user authentication experience.

In short, multi-factor authentication by itself isn't a magic bullet. Truly strong identification will make use of multi-authority authentication. Metaphorically speaking, each factor may represent a strong weapon, and an authority may represent a warrior. But if your village needs protection, one samurai may not be enough, no matter how many weapons he possesses; however, seven might make all the difference.