TheRobbix1206
I totally agree with you this article disclose MFA security to tell at the end “Hey do not use MFA but aMFA which is MFA but only sometimes” after saying that MFA is not that secure and almost useless when you read this article…
Slowliness: Don’t use SMS or Email use TOTP or trusted device MFA, this is way more quicker
Annoying: You only say the same thing as in the part about slowliness
Frustrating: “Why can’t I just prove who I am once?!” so the problem is not MFA but also password ? Because you shouldn’t be asked for it either if we follow your logic.
MFA tokens might be delayed. → Slowliness part again
MFA tokens might expire → Slowliness part again
MFA factors may not be easily accessible → Ok so this one is on accessibility… but do you know that you OTP can be installed on your PC too ? Or even on a tablet ? Maybe try something like authy
MFA is Often Times Pointless
Let’s get to the worst part… which is pointless because at the end “Use aMFA which has the same security issue but might be better for the upper part”
MFA Won’t Help If Your Factors Are Breached
Yes you should not rely on SMS code cause there is a lot of issue with phone network and one of them is how roaming work, because even if you trust you mobile operator, do you trust all mobile operator your operator deal with in other countries ? But disclose the SMS part not all MFAs…
And the other argument ? Password reuse ? Is it the user fault or the providers fault ? It seems to be more a user fault and it can potentially be at least somewhat patched my MFA. For example I had multiple account with the same password. But as my MFA is activated, Google didn’t even give a chance to the guy who was able to find my password as he was locked away by MFA, and they send me an email asking me to change immediately my password. Without MFA, this guy might have been able to access to all my data.
MFA Won’t Help If Your Password Isn’t Breached
OH DAMN NO ! I think you never used github or discord with MFA cause they are not only securing your account with MFA against invaders, they secure your account against yourself also with MFA by asking you your MFA token if you try any action that is considered as “Potentially dangerous” which is pretty cool cause it makes you think about it twice before doing something.
And even if your password as not been disclosed yet, if your password is weak brute force or dictionnary attack might still be able to get it.
Even When MFA Protects You, It’s Still a Breach
… DONT SAY THINGS THAT CAN BE BADLY INTERPRETED
Something more precise might say “There still breaches” because you are talking about server breaches NOT MFA BREACHES
And thing is you only say, yeah but if password are dumped ? The user is in a pretty bad position ! But really what does it have to do with MFA ? Nothing, it’s juste about password security.
MFA Won’t Help You In Any Number of Other Circumstances
Ah a more interesting one which is true ! Yes, MFA protect better user account on the authentification part of a website but only on the authentification part, if anything is wrong behind that you still have the same problem that password authentifiaction
How to Fix Multi-Factor Authentication
This part is more about fixing the first part and is pretty fine even if it security level is a bit lower than MFA on each time.
BTW microsoft is already using that since they start to implement MFA I think ? Because they only ask you your token if you connect from somewhere they think you should not be. So for example when you are in a foreign country.