FIPS140-3 L4 Multi-Factor Authentication (U23b)
The multi-factor authentication (MFA) requirement for operator authentication is introduced at FIPS 140-3 Level 4. This presentation is intended to show that the restrictive specification of this Level 4 MFA does not permit a realistic HSM operation and that the desired increase in security does not materialize. For instance a considered solution is to extend the HSM with a port for an additional physical crypto-token to prove possession. This, however, is an un-serviceable setup for HSM administrators of large data centers such as the IBM Cloud for Financial Services. HSMs in such an environment cannot be operated in a mode, where physical access needs to be provided. Even for smaller local infrastructures this requirement cannot always be granted all the time. E.g. in the current situation of the pandemic many companies obligate administrators to work remotely. Upon a closer inspection of the sketched MFA example configuration, the physical token offers no proof of possession from the point of view of the HSM. Since the token cannot penetrate the security perimeter of the HSM without tampering it, the HSM cannot prove the actual possession of the token. The Ontology for Authentication by Kim Schaffer implies that PIN protected smart cards are in fact a form of MFA. Therefore IBM proposes that using a smart card (as a hardware device) that requires a PIN to unlock the keys within the smart card constitute a MFA. Where the smart card is something you have, and the keys are something you know. This proposal is an elegant solution that meets both the MFA requirements and the necessity for remote administration.