Multi-Factor Authentication Sucks

oktadev-blog · December 18, 2019, 8:30pm

Multi-factor authentication is slow, annoying, and frustrating. Let’s talk about ways we can fix it.

oktadev-blog · December 19, 2019, 8:27pm

Richard Bucker

Mfa is an insurance policy which companies use to indemnify themselves. Not protect the users. Regardless of the tech when the benefit exceeds the cost the bad actors will find a way. Just look at the number of recent security alerts. Pure economics.

oktadev-blog · December 19, 2019, 9:35pm

jeffrey bley

So your conclusion is basically that MFA sucks and needs to be left in the last decade, but your solution is MFA, but just not all the time. I’m getting mixed messages. And the fact is that 99% of active hack attempts are going after passwords. That’s why MFA is important. It’s not unbeatable (nothing is) but it’s harder to beat because now the hacker has to physically steal your phone or jump through extra hurdles to get past it. And I don’t know who your MFA provider is but I get my push notifications in 3 to 5 seconds. I feel like this is adding confusion to security discussions and not adding a lot of value.

oktadev-blog · December 20, 2019, 1:15am

TheRobbix1206

I totally agree with you this article disclose MFA security to tell at the end “Hey do not use MFA but aMFA which is MFA but only sometimes” after saying that MFA is not that secure and almost useless when you read this article…
Slowliness: Don’t use SMS or Email use TOTP or trusted device MFA, this is way more quicker
Annoying: You only say the same thing as in the part about slowliness
Frustrating: “Why can’t I just prove who I am once?!” so the problem is not MFA but also password ? Because you shouldn’t be asked for it either if we follow your logic.
MFA tokens might be delayed. → Slowliness part again
MFA tokens might expire → Slowliness part again
MFA factors may not be easily accessible → Ok so this one is on accessibility… but do you know that you OTP can be installed on your PC too ? Or even on a tablet ? Maybe try something like authy

MFA is Often Times Pointless
Let’s get to the worst part… which is pointless because at the end “Use aMFA which has the same security issue but might be better for the upper part”
MFA Won’t Help If Your Factors Are Breached
Yes you should not rely on SMS code cause there is a lot of issue with phone network and one of them is how roaming work, because even if you trust you mobile operator, do you trust all mobile operator your operator deal with in other countries ? But disclose the SMS part not all MFAs…
And the other argument ? Password reuse ? Is it the user fault or the providers fault ? It seems to be more a user fault and it can potentially be at least somewhat patched my MFA. For example I had multiple account with the same password. But as my MFA is activated, Google didn’t even give a chance to the guy who was able to find my password as he was locked away by MFA, and they send me an email asking me to change immediately my password. Without MFA, this guy might have been able to access to all my data.
MFA Won’t Help If Your Password Isn’t Breached
OH DAMN NO ! I think you never used github or discord with MFA cause they are not only securing your account with MFA against invaders, they secure your account against yourself also with MFA by asking you your MFA token if you try any action that is considered as “Potentially dangerous” which is pretty cool cause it makes you think about it twice before doing something.
And even if your password as not been disclosed yet, if your password is weak brute force or dictionnary attack might still be able to get it.
Even When MFA Protects You, It’s Still a Breach
… DONT SAY THINGS THAT CAN BE BADLY INTERPRETED
Something more precise might say “There still breaches” because you are talking about server breaches NOT MFA BREACHES
And thing is you only say, yeah but if password are dumped ? The user is in a pretty bad position ! But really what does it have to do with MFA ? Nothing, it’s juste about password security.
MFA Won’t Help You In Any Number of Other Circumstances
Ah a more interesting one which is true ! Yes, MFA protect better user account on the authentification part of a website but only on the authentification part, if anything is wrong behind that you still have the same problem that password authentifiaction
How to Fix Multi-Factor Authentication
This part is more about fixing the first part and is pretty fine even if it security level is a bit lower than MFA on each time.
BTW microsoft is already using that since they start to implement MFA I think ? Because they only ask you your token if you connect from somewhere they think you should not be. So for example when you are in a foreign country.

oktadev-blog · December 20, 2019, 5:53am

Racle

TIP:
Bitwarden (password manager, you really should use one anyway) has feature to copy TOPT code to clipboard (works on computer and atleast on Android) when filling your login information.
I usually get in to my services with 2FA enabled in under 5s becouse of that.

oktadev-blog · December 21, 2019, 1:34am

ack

ok boomer

oktadev-blog · February 28, 2020, 1:27pm

tommy_turrell

I would say for most application developers and companies the solution is don’t try to to do identity authentication yourself. Leave that to Twitter, Facebook, Google or maybe even Microsoft or Apple and give me the choice. (This comment feature illustrates my point!)

Personally I don’t want identities scattered all over the web, I just want one identity that I can use everywhere (maybe a second one for work). If I trust Google to protect my identity then so should the application developer (Google do a better job of verifying my identity than my bank or health insurance company). My bank have this ridiculous idea that my signature is my identity!

Let someone else solve these problems, don’t reinvent the wheel, get on with solving other problems.

oktadev-blog · February 28, 2020, 1:38pm

tommy_turrell

Lol, I wrote this before seeing that solving authentication for application developers is exactly what Okta does.

I guess a blog post that said don’t worry about solving authentication just use our product would have been a short read!

oktadev-blog · May 25, 2020, 4:34am

Lonestar

Stop calling this MFA. Ever notice how Google identifies this as 2-Step Authentication? Real MFA requires both authentication factors to be submitted at the same time, not “yeah your password is right, now guess this code.” There’s a reason for that. (Hint, you never know if you really know if the cracked password you have is still valid.)

Furthermore MFA requires the factor to be something of different nature. I know you think that it’s “something you have” but it’s really a shared secret, more akin to a key than anything else.

oktadev-blog · July 22, 2020, 2:23pm

appsian

Excellent post providing a whole range of formatting and styling ideas probably won’t be able to implement everything on the list but just raising awareness of what can done and itemising a few ‘to do’s’ will help and I totally agree with you this article disclose MFA security. Very nice post this is a great reminder that there is always room for improvement thanks for the great examples and inspiration

oktadev-blog · August 4, 2020, 10:14pm

Ted

I think the solution is even simpler than that, generate the passwords for the users.

You don’t have credential stuffing attacks to worry about anymore. Log in is fast and easy. It’s far easier to implement than any 2FA. It’s more effective than SMS 2FA. Every web browser stores and fills passwords and works on all devices. If you don’t trust browsers you can use pen and paper where most 2FA require expensive solutions like a phone or hardware token. This article talks more about this here https://passwordbits.com/do…

oktadev-blog · December 19, 2020, 10:11pm

gilbertf

MFA is being forced (DSP2 for EU) onto users to force them to depend upon something they wear.

And because something they wear is something they can/will loose (or stop working in the case of smartphone), this will soon result into 2FA skin-implants being suggested to resolve the very problem they caused in the first place.

A physical card of 100 random numbers was so cheap, simple and worked so well. It had to be replaced by SMS & Android in order to ensure you’re GSM-geolocalisable anytime you connect.

2FA pro:

You keep hackers for accessing your account in case your password compromised.
But you loose: The ability to use your account if your smartphone is
- outdated
- lost
- stolen
- without network (traveling or any other reason)
- with no battery,
- … or Google decided god knows what about your Android device.

Each of these factors being way more probable and possibly as annoying as the hacker’s access scenario.

At the very least it’s a trade-off that should have been left to user decision instead of provider’s choice.

oktadev-blog · February 10, 2021, 1:48am

dirtside

An MFA article from December 2019 that doesn’t once mention TOTP?

oktadev-blog · May 25, 2021, 11:39am

sodapop7

the MFA got you pushing too many notifications eh?
Not everybody likes this.

oktadev-blog · October 16, 2021, 3:56pm

Ryan

It should be our choice if we want MFA on. I won’t hear any rationalities for otherwise.

simplejack · May 25, 2022, 7:13pm

Agreed. If MFA is so important, choice is key. For example, a “smart” phone should not be the only choice, since actually, I don’t own one.