Multi-Factor Key Derivation Function (MFKDF) for Fast, Flexible, Secure, & Practical Key Management

TL;DR

This paper introduces a novel Multi-Factor Key Derivation Function (MFKDF) that enhances security by integrating multiple authentication factors into key derivation, enabling secure, flexible, and practical key management with minimal performance impact.

Contribution

It presents the first general construction of MFKDF supporting various authentication factors, threshold-based key recovery, and policy enforcement through key stacking, advancing secure user data protection.

Findings

Exponential security improvement over traditional PBKDFs.

Supports multiple authentication factors like TOTP, HOTP, and hardware tokens.

Enables new applications with enhanced security and usability.

Abstract

We present the first general construction of a Multi-Factor Key Derivation Function (MFKDF). Our function expands upon password-based key derivation functions (PBKDFs) with support for using other popular authentication factors like TOTP, HOTP, and hardware tokens in the key derivation process. In doing so, it provides an exponential security improvement over PBKDFs with less than 12 ms of additional computational overhead in a typical web browser. We further present a threshold MFKDF construction, allowing for client-side key recovery and reconstitution if a factor is lost. Finally, by "stacking" derived keys, we provide a means of cryptographically enforcing arbitrarily specific key derivation policies. The result is a paradigm shift toward direct cryptographic protection of user data using all available authentication factors, with no noticeable change to the user experience. We demonstrate the ability of our solution to not only significantly improve the security of existing systems implementing PBKDFs, but also to enable new applications where PBKDFs would not be considered a feasible approach.