Multi-Factor Authentication Isn’t Ready For Mainstream

Heard the horror stories of people like Mat Honan being hacked? Like me you may have even had the “pleasure” of someone compromising your debit card (or worse). Not fun.

With that in mind, a couple of days ago I was very excited to dive again into Multi-factor Authentication (MFA) and write a really awesome post about how easy and effective it has become. Boy was I wrong. Here’s why it’s not worth it, and what you can do instead.

Basic Issue: Proving You are, Yes, You

Before we jump into some details, let’s talk about the basic issue. This is all about proving that you are “you” to some type of service (website, application, etc.).

According to Wikipedia, there are three ways of doing this:

  1. Something only the user knows (e.g., password, PIN, pattern)
  2. Something only the user has (e.g., ATM card, smart card, mobile phone)
  3. Something only the user is (e.g., biometric characteristic, such as a fingerprint)

What is Multi-factor Authentication (MFA)?

In general it just means that you use two or more of the three factors to prove who you are. In practice this means adding something additional to your username and password to make your accounts more secure.

This is an excellent idea because oftentimes your username is easy to guess (your name or your email address), and your password may be compromised by hackers. Imagine what a comfort it would be if you heard that your bank had been hacked but, without the third piece, the hackers still could not access your account.

What are some examples?

  • RSA Token. You may have seen these or you may use one yourself. I’m using one now for a project I am working on with a large bank. It’s a fob that displays a 6 digit number that changes every 60 seconds or so. To use it you simply key in the 6 digit number in addition to your username and password.
  • Text Message Verification. This is probably the most pervasive form of MFA available. Most of the major services offer this. You get a text message that has a code (often 6 digits) you enter in addition to your normal credentials.
  • Google Authenticator. This is the one I used for a while and is also widely supported. Instead of a text message or a fob you have an app on your phone or tablet that generates the 6 digit codes. At some point I gave up using it either because it was too much trouble or I got too lazy.

Where does Multi-Factor Authentication work well?

It works well when you have someone set it up (who knows what they are doing) in an enterprise for a specific purpose. I have used RSA tokens for months at a couple of firms for logging into their networks without one glitch or headache.

Where does it fall short?

When you try to use it personally for a bunch of different sites.

My goal in this latest dive back into MFA was to have all my high value accounts (banks, shopping, and social media) locked down with MFA. What got me excited was when Gina Tripani mentioned Authy on All About Android. Authy is an app whose promise is “Strong Authentication You’ll Actually Enjoy”.

Sorry Authy, I tried it and gave up. Right now MFA seems to be broken. Case in point: I was trying to setup Facebook to be my first account to use Authy and the instructions they gave were old, Facebook had already changed things so that the instructions weren’t relevant.

Is this Authy’s fault? No. Will this problem eventually get solved? Yes.

What’s the root issue?

Every site does MFA differently and sometimes very differently. There is even a site dedicated to tracking this: https://twofactorauth.org/.

It’s like usernames and passwords were many years ago. They was very little standardization. Now, every site seems to implement passwords differently but passwords have matured to a point that we “get” them and there is enough standardization that they work.

What would a solution look like?

  1. It is truly easy to use and setup.
  2. It works everywhere you want it to.
  3. You can turn it on and off easily. When you are at home and on “trusted devices” it wouldn’t ask you. When you are on the road and on your iPad, it would give you a one-click solution to pop up on your cell phone for verification.
  4. It has to work across all your devices and when you are offline too.

What to do instead?

  • Use a password manager so that you can use a different (and strong) password for every system and site. I recommend LastPass.
  • For the handful of passwords you do need to remember, make them good ones.
  • Stick to mainstream sites when you are buying online.
  • NEVER fill in your credit card information if the site is not using HTTPS (Secure HTTP). You can tell if they are using it if the address starts with “https” (not http). It is even better if it says https and the address is green in color.
  • Don’t give your credit card info if you can avoid it. There are a couple of approaches to this. One, is to use PayPal to check out. Another is to check out as a “guest” and type your credit card info or have your password manager fill it in for you. The fewer places your info is stored the less likely you are to have it stolen.

What’s the bottom line?

There is always a tradeoff between security and convenience. This one just doesn’t seem to be worth it right now for most people.

Question: Do you agree or disagree? Is it too much trouble or do you have a solution that works for you? Leave your thoughts in the Comments.

Featured image from iStock.

About Craig Huggart

Craig Huggart
After earning his M.B.A. from the University of Alabama, Craig Huggart found his passion as a technology trainer for Law Firms. With over 10 years’ experience, he works with small and large firms around the country. He is a 12 time Ironman 1 time Sprint Triathlon finisher. Check out his site: alawfirmtrainer.com.

Check Also

ransomware

Anatomy of a Law Firm Ransomware Attack, Part II

After solving the immediate problem of ransomware, you now will need to recover your data and put some long-term solutions in place.

  • TechLawGuru

    You have raised some good points about the lack of standardization in multi-factor authentication. It would be particularly nice if all sites supported receiving codes by text, voice call, and a standard app (e.g., Google Authenticator). However, I think your conclusion that multi-factor authentication is too much trouble to be worth it is misguided.

    First, setting up multi-factor authentication isn’t that hard. Most services support two-factor authentication by a text message code. Many services support using an app like Google Authenticator, Duo Security, or Authy. Getting a short numeric code by one of those two methods and entering it in a web browser is pretty simple and doesn’t require much effort.

    Second, this post is directed toward lawyers (and other legal professionals). As such, for any account that stores (or could be used to gain access to) confidential client information, the “it’s too inconvenient” justification is inexcusable. If a lawyer’s account got hacked and a client’s information was stolen, I doubt the client would be satisfied with a response that “I decided not to setup multi-factor authentication because it was too inconvenient.”

    • Thanks for chiming in. I agree with you on most of what you have said especially that lawyers should use MFA to protect client data.

      On the other hand, my main point was that I don’t think the average user will adopt MFA in its current state.

      • TechLawGuru

        I think you’re right that the average user is (unfortunately) probably not likely to adopt MFA. But the average user is also not likely to follow password best practices either (e.g., long, random password, unique for each site). And in some respects, it is easier for users to have easy to remember passwords (which are, therefore, weak and insecure) and enter a 6-digit code they receive by text message than to use unique, complex passwords with a password manager. (Personally, I use both unique, long, complex passwords AND multi-factor authentication, and the part that I find more inconvenient is typing the long passwords retrieved from my password manager, not entering the 6-digit MFA codes.)

        If average users are not going to follow good security practices, are they more likely to use a password manager or use MFA? That would be an interesting question to investigate.

        • You definitely have some great thoughts on this. I think if someone else sets it up for the average user, they would probably be more likely to adopt MFA.