Why so Much Resistance to MFA?
I was speaking with a doctor friend the other day. We were chatting about electronic medical records and how her office secured the patient information. She told me about all of the usual and expected safeguards such as passphrases, multifactor authentication (MFA) and two-factor authentication (2FA). She added that if she needs to prescribe certain medications, she has to use multiple authentication methods. Multi-multifactor authentication!
For many people, the mere idea of using passwords—and more contemporarily, passphrases—causes intense discomfort. I know some folks who would rather remain perpetually logged in to their computer than have to type their dreaded password more than once a day. Mentioning multifactor authentication seems to cause pain and anguish to some people. It is no wonder, then, that in the recent Thales Data Threat Report, respondents indicated that the use of MFA was only at around 55%, far below a saturation level. Is the resistance to MFA one of misunderstanding, misinformation or the perception of inconvenience? And how can it be overcome?
Passwords
Computer systems were once adequately protected with passwords. While some early hackers spent time guessing administrator passwords just to increase their access time on a system or to use more disk space, these were relatively benign exploits. Once computer systems became more widespread in all areas of our lives, the exploits became more of a vehicle for bragging rights. Simple passwords were enough to discourage casual guessing, as the possibility of guessing the right combination seemed unlikely.
Once the internet was born, criminal minds found newer, more lucrative ways to benefit from guessing users’ passwords. The specious solution to this new development was to make passwords more difficult to guess, but that only protected us from someone who wasn’t willing to spend time guessing and trying to log in. Over time, more sophisticated techniques—such as using hash collisions to reveal passwords—became easier and more readily available for sale.
Token Solutions
To eliminate the password guessing game, a new method of logging in was developed. A person could carry a physical device, known as a token, which was required in combination with a password to complete the login process. And multifactor authentication was born! Tokens had a small liquid crystal display (LCD) screen that showed a set of characters that would change every few minutes; they were synchronized to a clock at the corporate headquarters of the issuing company. For most small companies, this method was expensive, and use of tokens was thus limited to financial institutions or other organizations that dealt with extremely sensitive information.
Two of the biggest drawbacks of the token method were possession and battery life. A token required the user to have the token available and the token contained a battery that would become depleted over time. Usually, the issuer would send a replacement prior to the expected expiration of the token, but each new token required administrative overhead to set up. This also created other challenges; for example, things became more complicated still if the company had a global footprint. It also did not fully guarantee the security of the login, as the token could be given to someone else or stolen and used to impersonate the authorized custodian. Of course, the biggest challenge was if a person lost the token or if it were stolen. Even the fastest courier couldn’t get a replacement token into the hands of the affected user immediately.
MFA in the Palm of Your Hand
To be clear, the token-based method is still in use in many organizations, and in some cases, it is the preferred method for issuing a one-time password (OTP) to enhance security. However, two developments have made the use of MFA too easy for even the most resistant person to ignore.
Both MFA and smartphone integrations have evolved. Modern MFA systems can be configured to call a phone number, send a text message, display a code through an authenticator application or use a combination of one or more of these methods. This is important, due to the ubiquitous nature of mobile phones and devices. As one Supreme Court justice remarked, “Modern cellphones … are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.”
MFA: The Carrot or the Stick
It is hard to understand why so many organizations, as well as private individuals, are still reluctant to use MFA. Most sites, including many social media sites, now offer MFA to protect logins, user information and privacy. To add extra muscle to the move to MFA, U.S. president Joe Biden’s recent executive order mandates the use of MFA by all government agencies.
MFA is certainly here to stay, and if your organization isn’t yet using it as a standard process to protect personal and business information, well, it’s time to change that. Whether you need to make its use mandatory or introduce further security education to convince users of the necessity, it’s time to join the effort, and enable MFA in as many places as possible.