How to Choose Parameters for KDFs like Argon2, Bcrypt, Scrypt, PBKDF2, Balloon Hashing, & More (Part 2 of 2)
2025-08-01
This post concludes our two-part series on how to select optimal parameters for cryptographic KDFs. If you haven't read the first part of the series, you should probably do so before continuing.
In our last post, we provided you with a UI that walked you through finding optimal parameters that find that balance between robust security and a frictionless user experience. Behind the scenes, we benchmarked on a modern, high-performance device to understand the upper bounds of performance to determine a heuristic for choosing parameters today. However, many consumers are less powerful devices but still crave that instant login. What is a safe, performant baseline for the vast ecosystem of less powerful hardware? Now we have answers to this and are sharing three updates with you:
- We have now added Balloon Hashing, a novel KDF with provable security properties, into our recommendations.
- We are releasing our benchmark results from a Raspberry Pi 4B, establishing a baseline for low-end devices.
- We have made our benchmark data available to you and your servers with our free API endpoint that provides up-to-date parameter guidance on demand.
You can also find a video demo of the tool and API endpoint below.
Video: Colin Roberts demonstrates both the KDF benchmarking frontend and usage of the KDF API endpoint.
Integrating Balloon Hashing
Argon2id is the current gold standard for password hashing, but Balloon Hashing is an up-and-coming contender with unique strengths. Due to its elegant design and desirable security properties, Balloon Hashing has been acknowledged by NIST in SP 800-63B and is gaining traction in the security community. You can now find parameter sets for this KDF as well in our frontend tool and API. We grabbed the Balloon Hash from the RustCrypto libraries and compiled it to WASM and provided two underlying hashes (SHA2-256 and SHA2-512) to be used with it.
As a reminder, Balloon Hashing's primary advantage is its provable memory-hardness. Its security properties are backed by a formal mathematical proof, giving implementers a high degree of confidence in its resilience against brute-force attacks, though there are still potential vulnerabilities. Furthermore, its memory access patterns are provably independent of the password itself, which provides strong resistance against side-channel attacks that analyze memory access to leak information. While its design is sound, Balloon Hashing is still relatively new and has not yet achieved the same level of widespread, "battle-tested" adoption as Argon2. Consequently, audited implementations may be less common across all platforms. However, its inclusion in our tool reflects its growing importance and our commitment to providing access to state-of-the-art cryptographic options, especially those that come with the mathematical guarantees.
The “95% are better” Raspberry Pi
While benchmarking on a high-end Apple M3 processor is useful for understanding the upper limits of performance, it doesn’t reflect the reality for a huge portion of users. Most applications must serve a diverse landscape of devices, and a secure login that feels instant on the latest flagship phone can become a frustrating, multi-second bottleneck on an older budget device. So, we wanted to pick something that gave us confidence that 95% of devices would be faster than. For this purpose, we selected the Raspberry Pi 4B. It is a fantastic proxy for lower-power consumer hardware since it's a low-power, cheap, and over six year old device. Comparing this to a higher end mobile chip from the same era (Qualcomm Snapdragon 865) we see the Raspberry Pi 4B CPU is 4x slower. A clear standard to beat, for sure!
The Results
We ran our interactive benchmark suite on a Raspberry Pi 4B using a headless Chrome browser. Our goal was to find a "sweet spot" for each of the KDFs in our list over a range of different latencies. You’ll see all the available settings by visiting kdf.multifactor.com/api/v1/.
{
"status": "success",
"version": "v1",
"data": {
"endpoints": "/api/v1/{kdf}/{percentile}/{latency}",
"kdf_options": [
"argon2d",
"argon2i",
"argon2id",
"balloon-sha2-256",
"balloon-sha2-512",
"bcrypt",
"pbkdf2-sha1",
"pbkdf2-sha2-256",
"pbkdf2-sha2-512",
"pbkdf2-sha3-256",
"scrypt"
],
"percentile_options": ["95"],
"latency_options": ["50", "100", "200", "500", "1000"],
"total_configurations": 55
},
"metadata": {
"generated_at": "2025-07-04T01:44:13.159Z",
"description": "KDF Parameter Selection API - Static JSON endpoints"
}
}
An API for Up-to-Date Parameters
While these blogs are a starting point, we want to provide continued guidance on KDF selection since hardware gets faster, research changes, and vulnerabilities are found. Our free-to-use v1 API is a living resource that developers can rely on down the road.
How It Works
We designed the API to be extremely simple. You can simply visit the web pages themselves, or just use curl to get the value returned to you in a terminal or CI job. The data is returned as a clean and simple JSON blob.
| Parameter | Type | Required | Description | Example |
|---|---|---|---|---|
| kdf | string | Yes | The KDF you are using. Currently supports argon2d, argon2i, argon2id, balloon-sha2-256, balloon-sha2-512, bcrypt, scrypt, pbkdf2-sha1, pbkdf2-sha2-256, pbkdf2-sha2-512, pbkdf2-sha3-256 | argon2id |
| percentile | string | No | The performance target. Default is 95 representing a device slower than 95% of others. | 95 |
| latency | integer | Yes | Your maximum acceptable latency in milliseconds. Currently supports 50, 100, 200, 500, 1000 (note, some hashes cannot meet the 50ms requirement on the 95 percentile device) | 500 |
For the target parameter, we are launching with a single baseline: 95, which represents a device such that 95% of devices are faster than it and currently uses our Raspberry Pi 4B data. In the future, you will be able to specify other targets like 50% (median device) or specific models as we expand our benchmark library. These devices also change over time! In 5 years, we don’t expect a Raspberry Pi 4B to be the 95% device.
Example Request
Here is how you would request parameters for Argon2id with a maximum latency of 500ms, targeting a 5th percentile device:
curl https://kdf.multifactor.com/api/v1/balloon-sha2-256/95/500/
Example Response
The API will respond with a JSON object containing the recommended parameters, formatted to be easily consumable by your applications. The response below corresponds to the RPi 4B data for the request above.
{
"status": "success",
"version": "v1",
"data": {
"kdf": "balloon-sha2-256",
"percentile": "95%",
"latency": "500ms",
"configuration": {
"algorithm": "balloon",
"hash_function": "sha2-256",
"space_cost": 16,
"time_cost": 1000,
"parallelism": 1,
"output_length": 32,
"estimated_time_ms": 492
}
},
"metadata": {
"generated_at": "2025-07-04T01:44:13.157Z",
"algorithm": "balloon",
"hash_function": "sha2-256"
}
}
After reading the response, we see that the optimal parameters to use in this case are:
- Space cost: 16
- Time cost: 1000
- parallelism: 1
Pairing with MFKDF2
While these tools are a valuable resource for anyone using KDFs, this is where the updatable nature of the Multi-Factor Key Derivation Function 2 (MFKDF2) becomes more notable. When using MFKDF2, you can continually query this API using a cronjob to have update suggestions. As your users authenticate, simply increase the difficulty level of the underlying KDF being used in the MFKDF2 implementation. The user won’t know the difference, but the attackers will.
Moving Forward
Our mission is to improve the security of the web along the three pillars of authentication, authorization, and auditing. MFKDF2 allows for a step function increase to authentication security, and tools such as this KDF API allow for continued increase over time. Every day, it should be easier for developers to build safer systems. This work is foundational for the continued development of MFKDF2, and we’re just getting started. We encourage you to try out the updated Interactive KDF Benchmark tool and our new API endpoint. Let us know what you think and what hardware you believe is most important to test as we continue on this journey to build a more secure future.
We're redefining zero-trust — so you can protect your application with confidence.
Identity is your first and last line of defense, and the root cause of most application security breaches. Multifactor's provably secure zero-trust solutions cryptographically guarantee that only authorized users can access sensitive data, turning identity into your greatest asset in the fight against cyber threats. Learn more about our research, or reach out to explore working together.
Related Posts
How to Choose Parameters for KDFs like Argon2, Bcrypt, Scrypt, PBKDF2, Balloon Hashing, & More (Part 1 of 2)
2025-06-25
A comprehensive guide and interactive tool for the delicate security decision of selecting the best parameters for hard KDFs like Argon2, Bcrypt, Scrypt, PBKDF2, and Balloon Hashing.
MFKDF2, MFCHF2, & MFDPG2: Next-Generation Multifactor Entropy Stack
2025-06-06
MFKDF2, MFCHF2, and MFDPG2 are new user-friendly cryptographic primitives that aim to trustlessly solve the problems of the current authentication and account security.
Colin Roberts: Why I’m Excited About the Future of Multifactor
2025-07-03
Colin Roberts, Co-Founder and CTO, shares his journey from pure mathematics to crypto-focused startups and now Multifactor, explaining why he's excited about the future of the company.