Multi-factor authentication (MFA) is useful, but not a failsafe strategy for user authentication.
The purpose of identity and access management technology is, generally speaking, to prevent unauthorized users from viewing, stealing, or manipulating data, whether a corporate network, or a celebrity Twitter account.
As most users know, the dangers of the internet are ever shifting, and it’s important to stay safe. Often users are vulnerable and don’t realize it, and quickly fall victim to scams, phishing, and malware. Therefore having systems in place that allow users to get into their account information safely is crucial—and we often need multiple secure, and distinct, ways of doing this, as it’s unlikely there will ever be a single, fail-safe, immediate way to identify an individual.
While the world searches for such a silver bullet, intermediate solutions are available. For example, multi-factor authentication (MFA) is a process by which users’ identities can be verified by requiring two or more different authentication methods.
Authentication methods are categorized into three divisions: something you know, something you have, and something you are. On the ground, these authentication factors take many forms. For example, ‘Something you know,’ might be a password the user sets or a pin number. Similar in variation are the things you ‘have’ — more often than not this is a smartphone, but could also be a USB drive or other physical token, digital or otherwise. And the things you ‘are’ can include a fingerprint scan or facial recognition tools.
Strong MFA relies on at least two factors, each from separate categories — for example, typing in your password and then waiting for a one-time code to be texted to your phone. The more layers of authentication, the more difficult it is for someone to access an account that’s not their own.
Utilizing MFA at any or all login points can reduce the ability of bad actors to gain access to accounts, networks, and desirable data. Other signals like location or time data can be employed as well but are not considered as strong as the factors listed above. These types of login data rely on a company or a person knowing about what habits a user might have. For example, if a user normally logs on at 8 AM, but suddenly logs on at midnight, should that be a cause for concern? Companies have to be able to gain a level of assurance from the authentication attempts, and this is more easily done based on MFA that requires a secure password followed up quickly by, for example, a fingerprint, than it is to see if the user is logging on at a habitual time or place. So, for now, these types of signals are informative at best. They also present high risk of a false positive (incorrectly blocking a valid user who is acting outside their ‘normal habit’) or a false negative (missing a bad actor).
Though the mechanism for verification might vary (from website to website, or device to device) the idea of MFA remains constant — it’s a second (or greater) layer of security that can help to keep unauthorized users out of one’s account.
Idealism to Realism
On the surface, MFA seems like an impenetrable system but that’s only the case if each level of authentication is adopted fully and completely. At the moment, the reality of how MFA is used is rather different, and there are obvious shortcomings to each of the types of authentication.
These faults range from financial cost of tokens or applications (which an organization might be unwilling to take on), to the frequent loss or theft of a physical device, and even to the fact that both emails and text messages can be intercepted.
In addition to the specific failings of individual types of authentication, there’s the issue that, generally speaking, MFA adoption rates are low. According to DataProt, only 26% of companies use multifactor authentication. This is low considering that in 2018, MFA became a requirement for all organizations involved with payment card processing.
This may be because users experience frustration when asked to confirm their identity in multiple ways. MFA can add friction to the process of, say, logging on to one’s work account, and users tend to choose convenience over security (even when they can see good sense).
They Know Not What They Do
When it comes to the most ubiquitous authentication factor — the basic password layer–people tend to choose convenience over security, by reusing the same password (or slight variations on a password) for many accounts.
Knowing both of these facts (that users say ‘no thank you’ to both MFA and to unique passwords) about the user experience can, however, help organizations. The more enterprises acknowledge the reality of MFA use, the better they can adapt to new choices. If organizations and businesses can anticipate low adoption of MFA overall, they can focus on securing the one factor that won’t be going away anytime soon: the basic password layer.
Bad Actors Don’t Rest
Unfortunately, thinking any system is a ‘failsafe’ is a luxury not attainable in cybersecurity. Threat actors work as fast as those patching security flaws and writing rules. Systems like MFA are secure only until someone finds a vulnerability in any one of the factors. In some cases the ‘what you have’ layer is being defeated through such methods as SIM swapping and phishing attacks, but even more commonly, the password layer is breached. And once one of the ‘F’s’ of MFA is defeated, you no longer have the ‘M’. So, to use the full advantage of multi-layer security, all of the layers must be secured to the extent possible.
Whatever methods bad actors might use to get past MFA, they immediately have a foot in the door once compromising an account. This can lead to a simple account takeover for an individual (ATO) or even a full network compromise. This means that even when it’s not an individual’s fault they get hacked—for example, when an online business or enterprise has a large set of credentials stolen—all of the users’ other accounts are immediately more vulnerable.
A Tangled Web
It’s worth noting that there is an intersection of security issues in this dialogue. Password reuse is one of the most common issues in cybersecurity. Considering just how common — and likely to stick around — passwords are, using credential screening is an obvious and easy way to adopt a solution to hardening one of the critical authentication factors.
One of the best things that users, and companies, can do for themselves, is to continue to seek out education and resources about staying secure. It’s a good idea to enable MFA because no single factor can be considered completely secure on its own. MFA doesn’t ‘fix’ the issue of weak and repeated passwords, nor do strong passwords eliminate the need for additional authentication factors. If users can understand the purpose of MFA, they may be able to avoid bad habits in the future and protect themselves.