Exploring Full Disk Encryption and Multi-Factor Authentication

The problem is that most multi-factor authentication methods are just that–authentication. They often require some code to verify the validity of the token or information you present.

However, with disk encryption your password is the actual encryption key. There is no gatekeeper involved, either your key unencrypts the data or it doesn’t.

I have used the Yubikey’s static password feature with lets you create a 32-character password which is nice, but like you said there really is not a true “what you have” going on there, it is still just a static password that could be intercepted and entered without the physical token present.

You could probably find a way to do true two-factor authentication using an HSM that does actual authentication (such as requiring you to enter a PIN) or you could store a keyfile on a device that provides two-factor authentication. But ultimately all you are doing is providing a longer password or static keyfile.

Leave a Reply

Your email address will not be published. Required fields are marked *