It appears that multi-factor authentication (MFA) is finally being adopted by many organizations, as well as public websites. It is unfortunate that when we look at its implementation path, it has been enacted more as an involuntary act, rather than a request by the masses.
It is perfectly understandable that we all want better security, but we want it without a hassle. This is why, when anyone asks me, “what is the best multi-factor authentication system?”, the hidden message is that they want the method that is the least disruptive to their online experience. It is easy to answer by saying “it’s complicated”, but just as that is not an encouraging answer for anything else, it is certainly not the response anyone is looking for when asking about MFA solutions.
What I suggest is that the best multi-factor system is the one that offers the most options for the login process, while still maintaining the highest level of security. It is extremely important to emphasize the idea that MFA is a full system and not just a single method of securing access to an account.
On most sites, if you forget your username or password, there is usually a link on the login page that allows you to request a hint, or a password reset, usually sent to the registered email address. This is a good secondary method for recovering lost or forgotten information. The same is not true for many MFA-enabled sites.
There are simply too many sites that have implemented MFA improperly, leaving that second factor as a single point of failure. For example, I recently attempted to log into a portal, and the app authenticator was not correctly synchronized to the clock that enables the process to proceed, and no other method was offered to complete the MFA process. Fortunately, the synchronization problem was resolved on the provider’s side, so I was able to log in a short time later.
One method that is often used for failed authentication is the use of one-time backup codes, which are issued at the initiation of the MFA setup. This is a good fail-safe method and should be part of every MFA implementation.
Text messaging has been shown to have protocol weaknesses, and it has been deprecated as a multi-factor method by most respectable providers. In the case of selecting a good MFA system, it makes sense to select one that does not use SMS. The continued use of SMS seems to be a tacit commitment to profit over security, which is contrary to the mission statement of most security companies.
Some multi-factor systems also offer the option of a voice call that recites a code to a registered phone number. This was a good solution back when people had a landline as well as a cell phone, but those days are long behind us, as most folks see no practical reason to have a home phone as well as a cell phone. Of course, it hardly makes sense to use the cell phone number on which the authenticator app resides, because if that phone is missing, or not functioning for any other reason, the voice call will end up in a voice mailbox, expiring long before it is useful.
One of the best MFA options is the use of a hardware token, such as a Yubico “Yubikey” device. What makes this method so useful is that it removes the possibility of phone-based attacks, such as SIM swapping, where a criminal is able to transfer a phone number to another device, and social engineering, where a person can be tricked into revealing the MFA code. The use of a hardware device also allows the registration of a backup hardware token in the event of loss or destruction. A lost hardware device contains no identifying information, so there is no way to link it to an account. Of course, many people bristle at the idea of carrying a separate device other than their phone to log in, but in many cases, the new tokens are so compact as to be unencumbering. Another advantage of a hardware token is that many are also equipped for the new passwordless technology that is emerging.
Multi-factor authentication has come a long way since its early days, but broader acceptance is still a bit slow, and rightfully so. Most people need answers to the questions surrounding this apparent interruption in the login process. The simplest answer to all the vexing questions is that the best multi-faction system is like that best of any product. You want the freedom of options.
If you’ve enjoyed this article, try browsing through our other blogs.