The Multifactor Monstrosity and how it haunts you…

Blog | Posted: 17-07-2020
Row curve
Distology Blog

A brief history of Passwords

Passwords have existed since the middle ages acting as cyphers for the army and noblemen. Today, passwords are almost required for everything from accessing your business portal to simply unlocking your phone.

It has become a barrier to everything and one of the most important pieces of information you carry today.

However, even though it’s one of the most important pieces of information we hold, it is also the most insecure barrier we have in place.

One of the reasons that passwords are so insecure is because it is far easier to type and remember a password such as ‘Password1’ than it is to create a secure password for every single account you hold.

As a result, people have been figuring out ways to help secure or replace passwords altogether. One of those solutions is called multifactor authentication (aka MFA).

What is a Multifactor?

A multifactor can range from a multitude of different things however, they usually fall into one of three categories:

  1. Knowledge
  2. Possession
  3. Inheritance

Knowledge type MFA confirms the user’s identity by asking a question that only the true account holder would know. Security questions are a good example of this as they ask an open-ended question (no character limit or requirement). The question is usually framed in past tense so it would not be common knowledge in the present. For example: it would ask ‘what town did you grown up in?’ which would prompt the user to type in their childhood hometown.

Possession type MFA ensures the user’s identity by sending a message to a device within the user’s possession. A good example of this is online banking, they would send a message to your mobile device to confirm activity of a big spend and you would respond with ‘YES’ or ‘NO’. Mobile phones are often used for this type of MFA as large numbers of the population own a mobile, it would usually be on their person and the mobile device is unique to each person.

Inheritance factor type MFA uses biometric data to assure the user’s identity such as touch ID which you would use to confirm that you are the same user who registered the MFA via fingerprint identification. This is like Possession type MFA, modern mobiles often use this as a form of multifactor but biometric scanners can be bought separately.

When used for authentication, it can be used every single time or occasionally, but the multifactor purpose is to allow for additional security on the user’s login.

It sounds like a great solution! Why is it a Monster?

When it comes to securing accounts, MFA has a different issue compared with passwords… it’s optional.

Given the option, everyone (including those who know the risks), may chose not to use MFA because it can be seen as a hassle.

It can add a few seconds onto your login if you are using it in conjunction with a password; even longer for those with possession type MFA as it often requires them to login into another device during the process.

In the tale of Little Red Riding Hood, we see Red venture through the forest despite her mother’s warning – simply because it is a faster route, and that is what is happening with MFA avoidance.

MFA is not forced upon us, so we choose to ignore it.

Similarly, a lot of companies tend to not enforce MFA for access to their services as it can deter customers.

Setting up MFA creates an additional action for the user to complete and so they may be deterred from creating an account. And so, since it’s not enforced on a majority of platforms, users aren’t getting acquainted with MFA like they did with passwords.

If we compare the process to when you first register for online delivery: you must enter your email, a password, twice, your address, credit card details, before confirming your email address – the seconds soon add up.

Each one of these steps aren’t optional except for setting up MFA, and so we see users taking the path of least resistance and opting not to setup MFA for their accounts – despite it being there to protect their data.

The paper ‘Multi-Factor Authentication: A Survey’ released in January 2018 by Aleksandr Ometov, gives us a better understanding of the factors that deter users from using MFA.

These factors are:

  • Task Efficiency
  • Task Effectiveness
  • User Preference

Task Efficiency is the time to register and authenticate with the system and Task Effectiveness is how many attempts it takes to log into the system.

The higher the Task Efficiency and Task Effectiveness, then the more likely the user is not going to use that method to authenticate. Even a few seconds is considered difficult.

Their table for biometric based MFA also shows a very loose correlation to user preference and the likelihood of spoofing the MFA, essentially showing that even when users set up MFA, they preferred far more insecure methods.

In some cases though, these choices could relate to a particular security reason – a factor we will talk about in more detail further in the series.

The monstrous MFA blog series

This series aims to educate you on the different types of MFA and how they can help you deter and stop brute force attacks and credential stuffing but it’s also to show you the more monstrous side of MFA and how they can be more problematic than passwords if not used correctly.

At the end of this series we will give advice on how to kill your MFA monster and how to not summon Cthulhu in your organisation.

If you have a question surrounding MFA best practices, please contact the Distology team for friendly help and advice.