multi-factor sftp: Updated Thu, 29 Sep 2022 11:36:58 GMT

Can static IP address be used as a component of MFA?

Can I use static IP address as a component of 2 factor authentication for SFTP login?

Solution

The traditional factors used for MFA are:

Something you know.
Something you have.
Something you are.

But location ("somewhere you are") is also sometimes considered as a fourth factor - which could include a static IP address.

But your question shouldn't really be "can it be used as a component of MFA?", it should be "does it provide the security I need?". And that will depend on both the context of your application, and on exactly how trusted the IP address is.

The main problem with using an IP address is that it doesn't represent a person, it represents a network. And if that's a corporate network, it could have hundreds of people on, who all come from the same public IP address using NAT. It could also include an open guest wireless network that anyone near the building can use.

Is that acceptable for your security requirements?

Comments (1)

+0 – There are several problems with this answer. There are 5 MFA factors. Factors do not provide security; they provide factors of trust. The IP doesn't need to represent a person but a factor of trust, which can legitimately be a network. I think what you wanted to say is that it is a question of whether the factor is refined enough in this use case and the nature of the IP is sufficiently understood to function as an acceptable trust factor. — Aug 04, 2022 at 08:08

References

https://security.stackexchange.com/questions/263865