Benefits and Barriers to Multi-Factor Authentication

Multi-factor authentication, while it has long been a tool of security technicians, has been gaining mainstream traction and deployment throughout a variety of everyday services. Most people likely interact with MFA, whether they know it or not, in the form of a 6 digit code sent to their mobile phone via SMS. MFA has the ability to vastly improve account security and has demonstrated it is capable of stopping almost all attacks against accounts that have MFA enabled (more on that later). The problem as it is now, though, is that MFA can still be seen as an unnecessary security step for the average user and it can also cause huge problems if the MFA generators or recovery keys are somehow lost.

What is multi-factor authentication?

Sometimes called 2FA or two factor authentication, MFA is an additional authentication step that verifies the user’s identity, in addition to the normal username and password combination. The National Institute of Standards & Technology (NIST) defines MFA in its Special Publication 800-53 as:

• Something You Know (such as a password or PIN)
• Something You Have (such as a smartcard or cryptographic key)
• Something You Are (biometric identifiers)

In addition to what the NIST 800-53 defines, MFA can also include:

• Somewhere You Are (through device geolocation)
• Something You Do (such as keystroke analysis or voice recognition)

MFA uses at least two different factors from those listed above to fully authenticate users. I find calling MFA two factor authentication to be a bit misleading, since this could be interpreted to imply that MFA can only use two factors. This is not the case, as you can use as many factors you choose.

Take this scenario for example: when you attempt to login to your work computer, your computer first asks for your fingerprint via the built-in scanner, then you can generate a PIN via an authenticator app on your phone, but this app only generates the code after it verifies that its geolocation is the same as the work computer’s. This example uses something you know (your password and the PIN), something you have (your fingerprint), and somewhere you are (your phone and computer are both in the same place). While this may be an extreme example and unnecessary in most cases, it demonstrates that MFA is not limited to only two factors.

Why should I care about MFA?

One of the services I use on a near-daily basis recently began enforcing MFA on all user accounts. This required that I download a specific app from the Apple App store and as I was doing so, I quickly looked through the comments, most of which were negative. The general sentiment about the app brings up two important points to consider.

• MFA users must set up an alternate means of account recovery

Most MFA services give the user a set of account recovery codes, but where do you store the codes? You can’t write them down because if they are found, your MFA is essentially useless. Do you store them in an online vault? If that vault is MFA protected, which it should be, what happens when you lose your primary method of generating MFA codes? There is an amusing, yet terrifying story about a man whose house burned down and he got locked out of all of his accounts. Whether true or not, the story highlights some valid points to how you recover your account if you lose your MFA factors. Probably the easiest method of account recovery is via SMS to a mobile phone, yet this method has its vulnerabilities.

• MFA is not just a feature for power users or security gurus

The second sentiment I gathered from reading the reviews was that many users didn’t feel that MFA was necessary for them. One user even wrote, “I’m not important enough to hack.” There’s a lot to unpack here, but consider that weak passwords and password reuse are very common across user accounts. Security Magazine estimates there are 24 billion usernames and passwords on the dark web, and that 1 out of every 200 passwords is 123456. Password reuse between personal and work accounts can easily cause a breach at work. The user may not be important enough to hack, although I would argue that s/he is, but his/her workplace definitely is important enough to hack.

So what’s the good news?

MFA stops the vast majority of account intrusions, regardless of the type of MFA is enabled. Microsoft Directory of Identify Security Alex Weinert wrote that, “the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population.” What MFA has done is raise the difficulty and annoyance of compromising accounts with MFA enabled. Hackers would rather move on to accounts that don’t have MFA enabled.

What we, as security practitioners, need to do is help promote and spread the use of MFA, while also working to make it more approachable and user friendly. Good security is unobtrusive and while MFA isn’t there yet, it’s on its way.