63 lines
2.1 KiB
Markdown
63 lines
2.1 KiB
Markdown
---
|
||
title: "Multi-factor Authentication (MFA)"
|
||
type: concept
|
||
tags: [cloud-computing, security, identity]
|
||
date: 2025-03-02
|
||
---
|
||
|
||
# Multi-factor Authentication (MFA)
|
||
|
||
**MFA**(多因素认证)是云安全的基础机制,通过验证两个或多个独立身份凭证来确认用户身份,防止未经授权的访问。
|
||
|
||
## Definition
|
||
|
||
多因素认证要求用户提供两种或以上的身份验证因素:
|
||
1. **知识因素**(Something you know):密码、PIN
|
||
2. **持有因素**(Something you have):手机、硬件令牌
|
||
3. **固有因素**(Something you are):指纹、面部识别
|
||
|
||
## MFA Methods
|
||
|
||
| Method | Type | Security Level |
|
||
|--------|------|---------------|
|
||
| **SMS OTP** | 持有因素 | 中 |
|
||
| **TOTP** (Google Authenticator, Authy) | 持有因素 | 高 |
|
||
| **Hardware Token** (YubiKey) | 持有因素 | 极高 |
|
||
| **Biometrics** | 固有因素 | 高 |
|
||
| **Push Notification** | 持有因素 | 高 |
|
||
| **Adaptive/ Risk-based MFA** | 组合 | 极高 |
|
||
|
||
## Cloud Provider Support
|
||
|
||
| Provider | MFA Support |
|
||
|----------|------------|
|
||
| **AWS** | MFA via IAM, supports hardware tokens, virtual MFA, SMS |
|
||
| **Azure** | Azure AD MFA, Conditional Access, passwordless (FIDO2) |
|
||
| **Google Cloud** | 2FA, Security Keys, Google Prompt |
|
||
|
||
## Cloud Myths Context
|
||
|
||
MFA 是反驳"云不安全"误解的核心机制之一:
|
||
- 云平台强制或推荐 MFA,显著降低账户被盗风险
|
||
- 云 MFA 实现比大多数本地系统更先进(自适应、条件访问)
|
||
- 云服务商的 MFA 通常免费或低成本提供
|
||
|
||
## Best Practices
|
||
|
||
- **强制 MFA**:对所有用户强制启用 MFA
|
||
- **优先无密码**:FIDO2/WebAuthn 优于传统 OTP
|
||
- **条件访问**:高风险操作触发额外验证
|
||
- **保护特权账户**:Admin 账户必须使用硬件令牌
|
||
- **账户恢复**:安全的 MFA 恢复机制
|
||
|
||
## Related Concepts
|
||
|
||
- [[cloud-security]] — 云安全
|
||
- [[Identity-and-Access-Management]] — 身份与访问管理
|
||
- [[Zero-Trust]] — 零信任
|
||
- [[cloud-computing]] — 云计算
|
||
|
||
## Sources
|
||
|
||
- [[The Myths and Misconceptions About Cloud Computing (LinkedIn)|sources/the-myths-and-misconceptions-about-cloud-computing-linkedin]]
|