You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Multi-Factor Key Derivation Function (MFKDF) is a function that takes multiple inputs and outputs a string of bytes that can be used as a cryptographic key. It serves the same purpose as a password-based key derivation function (PBKDF), but is stronger than password-based key derivation due to its support for multiple authentication factors, including HOTP, TOTP, and hardware tokens like YubiKey. MFKDF also enables self-service account recovery via K-of-N (secret-sharing style) key derivation, eliminating the need for central recovery keys, and supports arbitrarily complex key derivation policies.
23
+
The Next-Generation Multi-Factor Key Derivation Function (MFKDF2) is a function that takes multiple inputs and outputs a string of bytes that can be used as a cryptographic key. It serves the same purpose as a password-based key derivation function (PBKDF), but is stronger than password-based key derivation due to its support for multiple authentication factors, including HOTP, TOTP, and hardware tokens like YubiKey. MFKDF2 also enables self-service account recovery via K-of-N (secret-sharing style) key derivation, eliminating the need for central recovery keys, and supports arbitrarily complex key derivation policies. It builds on the now-deprecated original MFKDF.
MFKDF2 retains as much backwards-compatibility as possible with the original MFKDF API, but makes the following breaking changes compared to the original MFKDF:
82
+
83
+
- Removed ISO key-based authentication, we recommend use of MFCHF2 instead
84
+
- Removed support for enveloped secrets and keys, we recommend deriving sub-keys or using external secret storage
85
+
- Removed support for KDFs other than argon2id; any argon2 params higher than (but not lower than) OWASP defaults are supported
86
+
- Removed support for custom key sizes; derived keys are always 256 bits, and can be stretched or truncated from there
87
+
88
+
Additionally, we've made a number of major security and feature improvements, including:
89
+
90
+
- A number of security improvements, including share encryption, policy integrity, and per-factor salting
91
+
- Key derivation parameters can be hardened over time without changing the key
92
+
- Support for Passkeys as a factor via the WebAuthn PRF extension
93
+
- Support for deriving passwords from an MFKDF2-derived key (via MFDPG2)
94
+
- Optional support for timing oracles to harden TOTP factor construction
95
+
96
+
In general, MFKDF2 is more **opinionated** than the original MFKDF, with the goal of being more secure by default and making insecure design decisions harder, at the cost of some flexibility. It also focuses on key derivation has less anscillary features, offloading cryptographic use of derived keys to external libraries in order to improve this library's auditability and reduce its attack surface. As a result, it also removes many problematic dependencies from the original MFKDF library.
MFKDF2 retains as much backwards-compatibility as possible with the original MFKDF API, but makes the following breaking changes compared to the original MFKDF:
4
+
5
+
- Removed ISO key-based authentication, we recommend use of MFCHF2 instead
6
+
- Removed support for enveloped secrets and keys, we recommend deriving sub-keys or using external secret storage
7
+
- Removed support for KDFs other than argon2id; any argon2 params higher than (but not lower than) OWASP defaults are supported
8
+
- Removed support for custom key sizes; derived keys are always 256 bits, and can be stretched or truncated from there
9
+
10
+
Additionally, we've made a number of major security and feature improvements, including:
11
+
12
+
- A number of security improvements, including share encryption, policy integrity, and per-factor salting
13
+
- Key derivation parameters can be hardened over time without changing the key
14
+
- Support for Passkeys as a factor via the WebAuthn PRF extension
15
+
- Support for deriving passwords from an MFKDF2-derived key (via MFDPG2)
16
+
- Optional support for timing oracles to harden TOTP factor construction
17
+
18
+
In general, MFKDF2 is more **opinionated** than the original MFKDF, with the goal of being more secure by default and making insecure design decisions harder, at the cost of some flexibility. It also focuses on key derivation has less anscillary features, offloading cryptographic use of derived keys to external libraries in order to improve this library's auditability and reduce its attack surface. As a result, it also removes many problematic dependencies from the original MFKDF library.
0 commit comments