InfoSecurity Professional INSIGHTS Archive: February 2022
Multi-Factor Authentication: Who’s to Blame if It Doesn’t Work as Intended?
By Ian Rifkin, CISSP
|Photo Credit: Getty Images|
While multi-factor authentication (MFA) usage has increased during the pandemic, its adoption could be higher, given its benefits. So why aren’t more users incorporating this stronger method of authentication? And who is really to blame when they don’t?
Multi-factor authentication requires multiple factors as part of the authentication process. Authentication without MFA (e.g., password-based authentication) only uses one factor, while MFA uses two or more: something you know (e.g., password), something you have (e.g., a phone or security key), and/or something you are (e.g., biometrics). Security professionals agree that MFA significantly increases account security. Failure to adopt MFA makes it easier for hackers to compromise accounts.
MFA, much like password security policies, is dependent on the specific site/service implementation. Organizations do not implement MFA in the same manner everywhere; instead, it’s up to users to figure it out.
As a technology, MFA has been around for many years. In fact, nearly 20 years ago when I was playing the online multiplayer role-playing game Final Fantasy XI, I had a hardware token to use as my second factor. I remember thinking at the time, Why do I have two-factor authentication for a video game and not with my bank? But my bank—a major national bank—did not offer MFA at that time.
The initial problem wasn’t adoption from users; the problem then was adoption by organizations. That was the first hurdle of MFA adoption. People couldn’t use it if the sites/applications they were logging into didn’t offer it.
Fortunately, in the years since, MFA options have become more common. Yet, sadly, MFA still is not a given. According to a Gartner analysis: “By 2023, 60% of large and global enterprises, and 80% of MSEs, will deploy MFA capabilities consolidated with access management or similar tools, which is an increase from 10% and 25%, respectively, today.”
That said, the most recent data available from Twitter via its half-yearly Twitter transparency report stated only 2.3% of all active Twitter accounts had MFA enabled. What it doesn’t say is that to enable MFA the user needs to (1) know and care that Twitter now offers it; (2) log into their Twitter account and explore the menus on their own to find the MFA settings (more → settings and privacy → security and account access → two-factor authentication); and (3) then follow the setup instructions. Given how difficult it is to even find, let alone follow, MFA instructions, is 2.3% adoption simply the fault of the users not caring about their security?
You don’t know what you don’t know
When I signed up for a personal LastPass account, I wasn’t sure it offered MFA. I do know that it wasn’t part of the sign-up process for using the Chrome-based password management tool, or I would have enabled it then. But LastPass is better than many, as the company recently started emailing about MFA and, more importantly, now informs users logging into the LastPass website that MFA is offered. Unfortunately, I’m sure many who rely on the LastPass plugins do not often log into the website.
I wonder how much of the problem is really educating the users about what MFA is vs. just making users apply it. When the few organizations email their users about MFA, they choose to educate based on the assumption that users aren’t enabling it because they don’t know what MFA is. But in doing so, these organizations are making it more complicated than it needs to be. Educational materials should be available for users, but more important is the need to simply normalize the process.
Meanwhile, where businesses require two-factor authentication (including where I work), user adoption is mostly a non-issue. I work at a higher education institution where we require MFA not just for employees but also for all students. I don’t mean to imply it’s completely smooth sailing with no roadblocks, but when businesses remove the choice, adoption rates predictably soar.
When the relationship isn’t employer/employee or school/student and is instead business/customer, then we are quick to blame the user/customer for low MFA adoption rates. CNET once wrote that MFA is “an easy way to keep your accounts safe. The hard part is getting people to enable it.” That was in 2018, yet the focus for blame and implied responsibility remains the same.
We don’t hear about poor adoption rates with setting passwords. That’s because businesses require their users to set passwords (and, increasingly, complex ones more difficult to crack).
Some people shift the blame from users to security professionals, sending mixed messages about the benefits of specific MFA implementation options. CNET cast initial doubt on MFA’s effectiveness using SMS text. “Using two-factor authentication, or 2FA, is the right thing to do. But you put yourself at risk getting codes over text,” said an article from April 2020—the month it began to kick in that we’d all be working from home for longer than anticipated due to the pandemic.
A year later, Brian Krebs of Krebs on Security chimed in with his own warning. “It’s now plainer than ever how foolish it is to trust SMS for anything. My advice has long been to remove phone numbers from your online accounts wherever you can and avoid selecting SMS or phone calls for second factor or one-time codes,” he wrote.
Are they wrong? No. SMS-based MFA is not as safe as an authentication app or a physical security key due to inherent risks like SIM swapping and a general understanding that text messaging wasn’t built to be a robust authentication platform. But some feel presenting SMS MFA as unsafe might be detrimental to MFA adoption in general and consequently are blaming the security professionals attempting to teach best practices.
‘Require the right thing’
It’s not a question of telling users to do the right thing—it’s up to us to tell businesses to require the right thing.
If a provider doesn’t offer MFA, there’s nothing the user can do. If it offers MFA but doesn’t promote it during sign-up, is it the user’s responsibility to navigate deep into their account settings to see if this service has implemented MFA or updated its options? If the provider offers only MFA using SMS, should the user decline, based on criticism of this approach? Even if the user signs up for MFA with a non-SMS option, the provider may still give an SMS fallback option that the user can’t opt out of.
A better approach would be for the security community to pressure organizations, not end users, to require the right thing. Organizations should implement, not just offer, appropriate MFA options. That means either requiring MFA or least prompting users to set up MFA during and periodically after sign-up.
Microsoft’s David Weston’s once tweeted: “Optional security nearly always means low volume.” If we want the security MFA provides, it cannot be a hidden feature that you need to know the secret to unlock. MFA needs to be part of regular processes, whether a user is an employee, customer or contractor. It is our responsibility as security professionals to make this happen.
Ian Rifkin, CISSP, is a strategic technology leader with expertise in web and cloud technologies. He currently is director of data and systems integration at Brandeis University and has a master’s degree in information technology management.