Abstract:Since the introduction of bcrypt in 1999, adaptive password hashing functions, whereby brute-force resistance increases symmetrically with computational difficulty for legitimate users, have been our most powerful post-breach countermeasure against credential disclosure. Unfortunately, the relatively low tolerance of users to added latency places an upper bound on the deployment of this technique in most applications. In this paper, we present a multi-factor credential hashing function (MFCHF) that incorporates the additional entropy of multi-factor authentication into password hashes to provide asymmetric resistance to brute-force attacks. MFCHF provides full backward compatibility with existing authentication software (e.g., Google Authenticator) and hardware (e.g., YubiKeys), with support for common usability features like factor recovery. The result is a 10^6 to 10^48 times increase in the difficulty of cracking hashed credentials, with little added latency or usability impact.
What problem does this paper attempt to address?
### What problems does this paper attempt to solve?
This paper aims to solve two major problems that existing password hashing mechanisms face when resisting brute - force attacks:
1. **Limitations of Symmetric Brute - Force Resistance**:
- Since the introduction of adaptive hash functions such as bcrypt, although they increase the difficulty of brute - force attacks by increasing computational complexity, this increase is **symmetric**, that is, the time for users to perform legitimate verification will also increase accordingly. Due to the low tolerance of users for latency, this limits the scope of use of these techniques in practical applications.
- Specifically, although adaptive hash functions (such as bcrypt, Argon2) can significantly increase the difficulty of brute - force attacks, because users are unwilling to wait a long time for login verification, the computational complexity cannot be increased without limit.
2. **Under - utilization of Multi - Factor Authentication (MFA)**:
- Multi - factor authentication (such as HOTP, TOTP, OOBA, etc.) increases the entropy of authentication, but currently this additional entropy has not been integrated into the password hash, thus failing to further increase the difficulty of brute - force attacks.
- The existing multi - factor authentication mechanisms are independent of password hashing and do not fully utilize the additional security provided by MFA.
### The method proposed in the paper
To solve the above problems, the paper proposes the **Multi - Factor Credential Hash Function (MFCHF)**, which has the following main features:
- **Asymmetric Brute - Force Resistance**: By integrating the entropy of multi - factor authentication into the password hash, MFCHF can significantly increase the difficulty of brute - force attacks without increasing the user verification time. Experimental results show that hashing based on MFCHF is 10^6 to 10^48 times more difficult to crack than hashing using Argon2 alone.
- **Backward Compatibility**: MFCHF is fully compatible with existing authentication software (such as Google Authenticator) and hardware (such as YubiKeys), and supports common usability features such as factor recovery.
- **Static Processing of Dynamic Factors**: The paper solves the problem of how to convert dynamic one - time passwords (such as HOTP, TOTP) into static inputs, so that these dynamic factors can be utilized in the hashing process without affecting the normal login experience of users.
### Summary
The main goal of the paper is to enhance the security of password hashing by integrating the entropy of multi - factor authentication, providing asymmetric brute - force resistance, while keeping the user experience unaffected. This not only improves the security of the system but also provides a new direction for future security research.