Ask HN: Are SSH keys with passphrases considered 2FA?

3 points by h43z ↗ HN
It could be argued that from the servers perspective only one thing was provided, so it's not 2FA.

Then what about ssh keys AND user/password authentication?

Like this sshd_config

  PasswordAuthentication yes
  PubkeyAuthentication yes
  AuthenticationMethods publickey,password
I guess it boils down to if one thinks ssh keys are something you know or something you have? The passphrase and password is very clearly something I know.

I'd like to hear your thoughts.

1 comment

[ 5.4 ms ] story [ 10.0 ms ] thread
If the server login needs a key and password (separate from the password to encrypt your private key), yes that's two factor: the server sees something you know and something you have. I worked on a platform (Salesforce B2C Commerce Cloud) that sometimes used WebDAV with HTTP basic auth and HTTPS client certificates (combined), and that was considered two factor authentication. I don't see how that's totally different from this SSH setup.