This chapter is broken down into two main sections. It starts with showing how to quickly threat model any MFA solution and then it walks through example threat modeling a very solid, secure, real-world, MFA solution. It is intended for use by MFA developers or by buyers considering a MFA solution.

Threat Modeling MFA Solutions

Every MFA solution can be hacked. But how? Although you can take a haphazard approach to figuring out the potential vulnerabilities and weaknesses of a particular MFA solution, going in with a proven plan and process usually ends up being more efficient and inclusive.

Here are my basic threat-modeling summary stages:

1. Document and diagram the components.
2. Brainstorm potential attacks.
3. Estimate risk and potential losses.
4. Create and test mitigations.
5. Do security reviews.

Each threat-modeling stage has many steps, processes, and tools, associated with it. I'll cover some of them in more detail in this chapter—although, to be clear, I'm going to do it very fast. Really, it would take a multiday class or a book devoted to the topic to best understand how to perform a thorough threat-modeling risk management analysis.