WARNING: Multi-factor Authentication Is Not Ready For Mainstream

Heard the horror stories of people like Mat Honan being hacked? Like me you may have even had the “pleasure” of someone compromising your debit card (or worse). Not fun.

Featured image from iStock.

With that in mind, a couple of days ago I was very excited to dive again into Multi-factor Authentication (MFA) and write a really awesome post about how easy and effective it has become. Boy was I wrong. In this post I share with you why I think it’s not worth it (in most cases) and what you can do instead.

 Basic Issue: Proving You are, Yes, You

Before we jump into some details, let’s talk about the basic issue. This is all about proving that you are “you” to some type of service (website, application, etc.).

According to Wikipedia, there are three ways of doing this:

  1. Something only the user knows (e.g., password, PIN, pattern)
  2. Something only the user has (e.g., ATM card, smart card, mobile phone)
  3. Something only the user is (e.g., biometric characteristic, such as a fingerprint)

What is Multi-factor Authentication (MFA)?

In general it just means that you use two or more of the three factors to prove who you are. In practice this means adding something additional to your username and password to make your accounts more secure.

This is an excellent idea because oftentimes your username is easy to guess (your name or your email address) and your password may be compromised by hackers. Imagine what a comfort it would be if you heard that your bank had been hacked but you could rest in the fact that even though the hackers had your username and password they could not access your account.

What are some examples?

  • RSA Token. You may have seen these or you may use one yourself. I’m using one now for a project I am working on with a large bank. It’s a fob that displays a 6 digit number that changes every 60 seconds or so. To use it you simply key in the 6 digit number in addition to your username and password.
  • Text Message Verification. This is probably the most pervasive form of MFA available. Most of the major services offer this. You get a text message that has a code (often 6 digits) you enter in addition to your normal credentials.
  • Google Authenticator. This is the one I used for a while and is also widely supported. Instead of a text message or a fob you have an app on your phone or tablet that generates the 6 digit codes. At some point I gave up using it either because it was too much trouble or I got too lazy.

Where does it work well?

It works well when you have someone set it up (who knows what they are doing) in an enterprise for a specific purpose. I have used RSA tokens for months at a couple of firms for logging into their networks without one glitch or headache.

Where does it fall short?

When you try to use it personally for a bunch of different sites.

My goal in this latest dive back into MFA was to have all my high value accounts (banks, shopping, and social media) locked down with MFA. What got me excited was when Gina Tripani mentioned Authy on All About Android. Authy is an app whose promise is “Strong Authentication You’ll Actually Enjoy”.

Sorry Authy, I tried it and gave up. Right now MFA seems to be broken. Case in point: I was trying to setup Facebook to be my first account to use Authy and the instructions they gave were old, Facebook had already changed things so that the instructions weren’t relevant.

Is this Authy’s fault? No. Will this problem eventually get solved? Yes.

What’s the root issue?

Every site does MFA differently and sometimes very differently. There is even a site dedicated to tracking this: https://twofactorauth.org/.

It’s like usernames and passwords were many years ago. They was very little standardization. Now, every site seems to implement passwords differently but passwords have matured to a point that we “get” them and there is enough standardization that they work.

What would a solution look like?

  1. It is truly easy to use and setup.
  2. It works everywhere you want it to.
  3. You can turn it on and off easily. When you are at home and on “trusted devices” it wouldn’t ask you. When you are on the road and on your iPad, it would give you a one-click solution to pop up on your cell phone for verification.
  4. It has to work across all your devices and when you are offline too.

What to do instead?

  • Use a password manager so that you can use a different (and strong) password for every system and site. I recommend LastPass.
  • For the handful of passwords you do need to remember, make them good ones.
  • Stick to mainstream sites when you are buying online.
  • NEVER fill in your credit card information if the site is not using HTTPS (Secure HTTP). You can tell if they are using it if the address starts with “https” (not http). It is even better if it says https and the address is green in color.
  • Don’t give your credit card info if you can avoid it. There are a couple of approaches to this. One, is to use PayPal to check out. Another is to check out as a “guest” and type your credit card info or have your password manager fill it in for you. The fewer places your info is stored the less likely you are to have it stolen.

What’s the bottom line?

There is always a tradeoff between security and convenience. This one just doesn’t seem to be worth it right now for most people.

This post originally appeared October  24, 2014 on Law Technology Today.

Question: Do you agree or disagree? Is it too much trouble or do you have a solution that works for you? You can leave a comment by clicking here.

Subscribe to our mailing list

* indicates required Email Address * First Name Email Format html text

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *