MFKDF2, MFCHF2, & MFDPG2: Next-Generation Multifactor Entropy Stack

2025-06-06

Colin Roberts

The landscape of digital security is constantly evolving. We are pleased to introduce MFKDF2, MFCHF2, and MFDPG2: novel, user-centric cryptographic primitives developed to address persistent challenges in authentication and account security. This post will detail our vision for this technology, explain the problems these new technologies aim to solve, describe the innovative components of the stack, and outline our development roadmap. Our goal is to define what users can expect as we endeavor to build a more secure future for digital identity.

Why Multifactor?

Contemporary account security for web and on-device applications often relies on outdated methodologies. Accounts are largely secured by passwords, which can be inherently weak and are frequently reused. These passwords are often supplemented with two-factor authentication (2FA) methods, such as SMS, email, time-based signals, or hardware tokens. While beneficial, these 2FA approaches do not always address fundamental system vulnerabilities. Even with the increasing adoption of password managers and the emergence of passkeys, several critical issues persist.

Password Vulnerabilities: Weak or compromised passwords represent a significant attack vector. Password managers can facilitate the use of stronger passwords, but their own security is a critical dependency.
Limitations of 2FA: Certain 2FA methods can be susceptible to phishing or social engineering attacks. Furthermore, user adoption of 2FA is not always consistent. Likewise, 2FA credentials are often stored on the server, which introduces a single point of failure and a potential security risk.
Master Key Risks: The storage of a master key on a server for account recovery or updates can introduce a single point of failure. This presents a considerable security risk.
Password Hash Leakage: The leakage of password hashes, even in salted and hashed form, can enable password reuse and other sophisticated attacks.
Passkey Adoption Challenges: Passkeys, while a promising technology, are not yet universally adopted. Their reliance on user-managed cryptographic keys also introduces distinct usability and security considerations, a challenge also present in cryptocurrency wallet management. With that said, passkeys are a promising technology and we want to provide support for them as well.

Modern users require seamless and secure access to their accounts across a multitude of devices and platforms. There is also a growing need for users to securely share account access with trusted individuals, such as family, friends, or colleagues. After all, we want to be able to share our accounts with others and be able to revoke access to our accounts later on. This is essential for collaborative purposes or for emergency account recovery, without necessitating the surrender of full account control. Existing systems often render these legitimate requirements cumbersome or insecure.

The Multifactor Entropy Stack, consisting of MFKDF2, MFCHF2, and MFDPG2, is engineered to be a comprehensive solution to these challenges. It is not merely an incremental improvement but represents a foundational shift in approaching digital trust. This system intelligently combines multiple authentication factors. It delivers robust security that is both highly effective and designed for ease of use. For the end-user, the experience is intended to be familiar and intuitive; one should not even notice the difference. Underlying this user experience, their accounts will benefit from a significant enhancement in security.

If your organization is contending with these security issues, or if you are seeking a modern authentication framework, we encourage you to contact us at [email protected].

What is the Multifactor Entropy Stack?

The Multifactor Entropy Stack comprises a suite of synergistic, open-source components. These components are engineered to provide advanced security and operational flexibility. The core elements of this stack are as follows:

MFKDF2 (Multi-Factor Key Derivation Function, Version 2.0): This is the primary engine for deriving cryptographic keys. It utilizes multiple sources of entropy, governed by a flexible, user-defined policy.
MFCHF2 (Multi-Factor Credential Hashing Function, Version 2.0): This component introduces an innovative method for hashing entire authentication policies. This contrasts with traditional approaches that hash only individual credentials.
MFDPG2 (Multi-Factor Deterministic Password Generator, Version 2.0): This function enables the integration of modern multifactor security principles with legacy systems. It is particularly useful for applications that still necessitate password-based authentication.

Currently, we're pursuing development of the Multifactor Entropy Stack in Rust. This new version incorporates the latest security enhancements and performance optimizations.

Core Philosophy: The Power of Policy

Central to the Multifactor Entropy Stack is a unique multi-factor key derivation algorithm. This unified framework underpins the functionality of MFKDF2, MFCHF2, and MFDPG2. Instead of relying on a fixed, predetermined set of authentication factors, Multifactor empowers users to define a policy. A policy is a completely customizable set of rules that dictates the derivation of an underlying seed value. This seed value is subsequently used to generate cryptographic keys, hashes, or passwords. This policy-driven approach offers unprecedented flexibility in several key areas:

Factor Granularity: Users can define any number of required factors (e.g., one, two, three). Alternatively, they can implement sophisticated threshold schemes (e.g., requiring two out of three available factors, or three out of five, etc.).
Diverse Factor Types: The system supports a wide array of authentication methods. These include passwords, passkeys, SMS/email One-Time Passwords (OTPs), time-based signals (TOTP), hardware tokens, Near Field Communication (NFC), Quick Response (QR) codes, Radio-Frequency Identification (RFID), geolocation data, and more.
Sophisticated Logic: Factors can be combined using various logical operators, such as AND and OR. This allows for the creation of highly tailored and context-aware authentication flows.
Secure Factor Sharing: Policies can be designed to facilitate the secure sharing of authentication factors. This can be with other users, devices, or accounts, enabling robust mechanisms for account recovery and delegated access.

We are committed to providing both client-side and cloud-based implementations of these components. Organizations will be able to leverage the Multifactor Entropy Stack in a completely self-hosted environment if they wish, but the cloud service is designed to provide additional benefits. These benefits include:

Enhanced Timing Oracle Protection: This feature will further fortify systems against sophisticated side-channel attacks.
Reliable and Resilient Policy Storage: This will ensure that authentication policies are consistently available and securely managed.
Simplified Integration and Management: The cloud service will aim to streamline the deployment and ongoing operational management of the Multifactor Entropy Stack. (We are actively exploring further unique advantages for the cloud offering.)

As a public benefit company, our dedication to security and accessibility dictates that all core components of the Multifactor Entropy Stack will be open source. They will be available in a variety of programming languages, including Rust, JavaScript/TypeScript, Python, C, C++, and Go. We believe that this open and collaborative approach is fundamental to building a more secure digital future.

The Components

Our stack is composed of several key technologies, each addressing a critical aspect of modern authentication and security.

MFKDF & MFKDF2: Next-Generation Key Derivation

MFKDF (Multifactor Key Derivation Function) represents the original version of our key derivation scheme. It was the foundational element upon which the Multifactor concept was first implemented. During 2024, a thorough review process identified a number of minor security considerations pertaining to this initial MFKDF specification. It is important to note that this original version was intentionally never deployed in production environments. We have comprehensively addressed each of these identified issues. The result of these enhancements is MFKDF2, the current-generation, production-ready iteration of our key derivation function. The stack, with MFKDF2 at its core, is now robust and prepared for widespread production usage.

Cryptographic keys derived by MFKDF2 are of fundamental importance across numerous security-sensitive domains. The robust and flexible nature of MFKDF2 allows for its application in diverse scenarios:

Authentication: Generating keys for verifying user identities in online accounts, corporate systems, and other access-controlled environments (e.g., building access, Wi-Fi access, etc.).
Encryption: Deriving keys for data-at-rest encryption, such as securing files, documents, and database entries.
Digital Signing: Creating keys for ensuring data integrity and authenticity through digital signatures for documents, code, and communications.
Cryptocurrency Wallets: Generating and protecting private keys for cryptocurrency wallets, enhancing their security against theft and loss through social recovery and multi-signature-like mechanisms.
Password Management: Enabling the secure storage of encrypted passwords and passkeys within password management systems.

Let us explore a pertinent commercial application to illustrate the tiered access capabilities of MFKDF2.

Secure Digital Signatures

For digital signatures used for documents, code, or communications, MFKDF2 provides enhanced private key generation and protection mechanisms. Policies can be designed to require multiple factors before a signature can be derived or used, significantly mitigating risks of theft or unauthorized access. This applies not only to the above use cases, but also to cryptocurrency wallets and other systems managing high-value digital assets.

Tiered Access Control

Consider a corporation requiring differentiated access levels to sensitive documents, communication channels, or physical resources, including building entry. MFKDF2 can be employed to derive distinct cryptographic keys based on the specific combination of authentication factors presented by an individual. This policy-driven approach means that access privileges can be dynamically and granularly controlled. Furthermore, due to the updatable nature of these policies, an organization can reassign team members between access groups with immediate effect. This significantly streamlines the administration of user permissions and access rights.

At the same time, MFKDF2 could apply at the physical level. For example, a company could use MFKDF2 to derive a key for a building access system. The key could be used to unlock doors or other physical access points or connect to a Wi-Fi network. Rather than deploying just a keycard for access, the company could require a combination of factors such as a keycard, a fingerprint, and a PIN. To connect to Wi-Fi, phones can be deployed that contain factor shares purely based on the phone's hardware and location.

End-to-End Encrypted Communication

A related application involves the development of tiered end-to-end encrypted (E2EE) communication platforms. For instance, a system analogous to Discord could use MFKDF2-derived keys to enforce role-based access to specific encrypted channels. Only users possessing the correct set of factors, as defined by the policy for a given channel, would be able to derive the necessary decryption key.

Creative Use Cases

While MFKDF2 excels in these robust cryptographic applications, its flexibility also lends itself to more creative use cases. One might envision a scenario where a unique key, granting access to exclusive digital content, is derivable only when a group of individuals convenes at a specific time and location. This effectively creates a "digital secret handshake," performable only by the designated group under the prescribed conditions. This demonstrates the capacity of MFKDF2 to support novel interaction models based on conditional key derivation.

MFCHF: Holistic Credential Hashing

MFCHF (MultiFactor Credential Hashing Function) addresses a critical vulnerability in traditional server-side credential storage. Currently, servers often store a credential hash (e.g., generated by bcrypt, scrypt, or Argon2) alongside separate data for other authentication factors, such as a Time-based One-Time Password (TOTP) secret key. This separation creates a significant risk. If a server is compromised and its database is leaked, an attacker may gain access to this auxiliary credential data. Such a breach can render secondary authentication factors ineffective, undermining the entire multifactor authentication strategy.

MFCHF provides a robust solution to this problem. It enables the server to store a single cryptographic hash that represents the entire authentication policy, including all its constituent factors. Instead of disparate hashes or secrets for different factors, the server maintains one holistic hash encompassing the user's complete authentication setup. Consequently, if this MFCHF-generated credential hash is leaked, an attacker is faced with a much more formidable challenge. They must discover a valid combination of credentials satisfying the complete authentication policy, rather than merely exploiting a leaked TOTP key or similar individual factor. This approach significantly enhances security posture, ensuring that no critical security is lost even when a database breach occurs. MFCHF effectively ties all authentication factors to a single, resilient cryptographic proof. Because it's built with the Multifactor scheme, it can be updated without the need of some master key or other single point of failure. This is a significant improvement over the current state of the art.

MFDPG: Bridging to Legacy Systems

MFDPG (MultiFactor Deterministic Password Generator) offers a practical solution for integrating the Multifactor security model with existing applications that still rely on traditional password-based authentication. This component functions as a deterministic password generator. It can generate complex passwords that adhere to a predefined set of requirements (e.g., length, character sets) based on the Multifactor policy. This capability is particularly valuable for enabling password managers or other client applications to interface with legacy systems. It allows them to supply a password that is derived from a strong Multifactor policy, rather than a conventionally stored or user-generated password. This means existing applications can benefit from the enhanced security of the Multifactor approach without requiring modifications to their underlying authentication code.

Advanced Password Management

When MFDPG is used in conjunction with MFKDF2, it enables a highly secure and flexible password management paradigm. Users can interact with their password manager in a familiar way. However, when a password is required for a service, it is generated on-demand by MFDPG based on the user's Multifactor policy. Crucially, the passwords themselves are never stored locally on the user's device or in the password manager's vault. Only the policy for deriving these passwords is stored. This significantly reduces the attack surface, as there are no password databases to steal or individual passwords to be compromised from local storage.

Client & Cloud Architecture

We are committed to providing both client-side and cloud-based implementations of the Multifactor Entropy Stack's components. Organizations will have the autonomy to leverage the Multifactor Entropy Stack in a completely self-hosted environment, maintaining full control over their infrastructure. Alternatively, we will offer an optional cloud service designed to provide distinct advantages. These benefits are anticipated to include:

Enhanced Timing Oracle Protection: Further fortifying systems against sophisticated side-channel attacks by leveraging cloud-based mitigations.
Reliable and Resilient Policy Storage: Ensuring that authentication policies are consistently available, backed-up, and securely managed with high uptime.
Simplified Integration and Management: Streamlining the deployment, configuration, and ongoing operational management of the Multifactor Entropy Stack through a managed service. (We are actively exploring further unique advantages for the cloud offering, such as advanced analytics and reporting capabilities.)

Roadmap

Our development roadmap for the Multifactor Entropy Stack is focused on several key initiatives to bring this technology to a wide audience and ensure its robustness. We are committed to a phased approach that prioritizes security, stability, and broad applicability. The immediate and near-term priorities include:

Complete Rust Implementation: The development of our high-performance, secure Rust implementation of the Multifactor Entropy Stack (Version 2) is a primary focus. We aim to complete this core library to serve as the bedrock for future developments.
Develop Bindings for Additional Languages: To foster widespread adoption, we will create bindings for other popular programming languages. This will include, but is not limited to, Python, C, C++, and Go, enabling integration into a diverse set of existing and new projects.
Build Client and Server Applications: Leveraging the core libraries, we will develop reference client and server applications. These will showcase the capabilities of the Multifactor Entropy Stack and provide practical examples for developers. This includes user-facing tools and server-side components for policy management and authentication.

We are excited about the future of the Multifactor Entropy Stack and will provide regular updates on our progress.

Conclusion and Invitation to Collaborate

The Multifactor Entropy Stack represents a significant step forward in the evolution of digital security. We have outlined the persistent challenges with current authentication paradigms and presented our comprehensive, policy-driven solution. From next-generation key derivation with MFKDF2, to holistic credential hashing with MFCHF, and seamless legacy integration with MFDPG, our approach offers enhanced security without compromising user experience. The flexible architecture, supporting diverse factors, sophisticated logic, and secure sharing, opens up a wealth of possibilities across numerous applications.

We are actively building this future and believe in a collaborative approach.

For Organizations and Developers: If you are interested in leveraging the Multifactor Entropy Stack to enhance the security of your applications or systems, we encourage you to reach out. We are keen to discuss your use cases and explore how our technology can meet your specific needs. Early adopters and pilot programs are an area of particular interest as we refine our implementations.

For Funding and Partnerships: Bringing a project of this scope and ambition to full fruition requires resources and strategic alliances. We are actively seeking funding opportunities, including grants, venture capital, and strategic partnerships. If our vision resonates with your investment thesis or organizational goals, we would be delighted to discuss how we can work together to accelerate the development and deployment of the Multifactor Entropy Stack.

For Open Source Contributions: We are open to contributions from the community. If you are interested in contributing to the Multifactor Entropy Stack, we encourage you to reach out. We are keen to discuss your contributions and explore how we can work together to accelerate the development and deployment of the Multifactor Entropy Stack.

Your engagement, whether as a user, developer, or partner, is crucial to realizing the full potential of this next generation of authentication and security. Let us build a more secure digital world, together. Contact us to learn more or to begin a conversation.

Introducing Portal: Multifactor's API Gateway Solution

2025-05-28

Products Portal

Today, we're excited to announce the release of Portal, Multifactor's brand new serverless, globally-distributed API gateway, available now in early access.

Multifactor Team

Why Multifactor is a Public Benefit Corporation

2025-05-19

Company Public Benefit

Multifactor, Inc. is now officially a Public Benefit Corporation (PBC). Learn more about our commitment to improving computer security and privacy for all.