mfa and webauthn

Big Ideas/Topics.md

@@ -40,10 +40,11 @@
 
 ### How are you authenticating
 
-  * Something you know
-  * Something you have
-  * Something you are
-  * 
+  * Something you know - password, security question, pin number
+  * Something you have - an email address, phone number, or security key
+  * Something you are - biometrics
+  * Somewhere you are - location
+  * Something you do - behavior
 
 ### Layers of security
 
@@ -92,4 +93,7 @@ The following list was derived from https://identitymanagementinstitute.org/laye
     * Limited accountability - sharing of passwords
     * Less convenience compared to biometrics or other technology
   * The case for WebAuthn and other asymmetric cryptographic authentication
-    * 
+    * It is almost accidentally multifactor, you have something, but in order to use it you need to unlock it with something you know or something you are. e.g. Your smartphone keeps the key in a special module that needs to be unlocked with the phone's security features (pin, password, FaceID or TouchID). Then that module can prove you 'have' the key using cryptography.
+    * Unlocking the key using a password is great because the password verification is local only, a password hash doesn't ever have to leave your phone or be stored in some database you don't control.
+    * Asymmetric cryptography allows for the private key to stay on the device while still being usable to prove you have the key. Using the private key you can sign messages. The recipient of the message can use your public key to verify the signature.
+    * The authentication system doesn't need to store any secrets or sensitive information in order to authenticate a user. This makes the authentication system a much less interesting target for attackers.