Multi-factor authentication (MFA) is a critical part of our defence of information systems, but it is far from perfect. I’ve made a list of list of things I dislike about it, not because I think that MFA needs to go away, but because if we can solve some of these gripes, MFA becomes even more powerful.

What is MFA?

When I talk about MFA, I mean the authentication methods that tend to be used in addition to your username/password. Your password is “something you know”, whereas your fingerprint is “something you have”, and a token generation (physical or app-based), is “something you have”. By combining these somethings, authentication is stronger, because the likelihood of an attacker being able to compromise two (or more) of these simultaneously, without being noticed, is much lower.

MFA gives us an opportunity to spot a stolen password, or an unauthorised login attempt, before a full authentication process is completed. It’s great, in principal.

So, onto what’s wrong with it…

1. OTP values are sus

One-Time Passwords (OTPs) generated by apps and security tokens are usually six digits long. Thanks to the cryptographic algorithms behind them, they should be perceptibly random, making it impossible to predict what any future OTP will be.

AmongUs Sus meme

So why is it that so frequently, the OTP looks so… un-random? Repeated digits, apparent patterns within the six digits, etc?

It turns out that even if the OTPs are strong, patterns and repeated numbers are quite likely to be observed. I’ve opined on this subject before, and the maths shows that for a six digit OTP, there’s only a 15% chance that all six digits are unique.

And that’s fine. It’s still safe. My issue is not with the security property of the OTP, but with the perception of it. This… quirk… of using such a short value as an authentication measure, risks people trusting it less. Perhaps another way of representing the code would be better?

2. I’m wearing out my pocket

Even with services that use Single Sign On (SSO), where I’ve already SSO’d into one service that day, I find I’m frequently prompted for an additional authentication factor. This usually leads to me having to drag my phone out of my pocket… again… for another round of code entry.

The balance between security and convenience is not always there. If I’ve used SSO, with MFA, to authenticate for one service, why should the SSO system subject me to the same flow again just to access another system? I’m sure some combinations of services and SSO systems get this right. Of course, I only notice the ones that don’t…

3. There are too many codes

At the time of writing, my authenticator app has 33 (yes, thirty three) separate codes in it. Some of them I use once in a blue moon, others I use daily. The amount of scrolling and scouring I have to do to get to the right code is frustrating.

This is probably in part thanks to the rather vanilla authenticator app that I use. There are better apps out there, I’m sure, with sorting, searching and other convenience features in them, but too many features in such an important security component also seems like a bad idea, no?

4. Companies still do 2FA over SMS

The first SMS was sent in 1992. That’s thirty years ago. It used spare capacity in GSM networks to send small messages around, and was never expected to be as hugely successful as it was. It was not designed to be a pillar of modern secure communication and unfortunately its security, even through several generational improvements, is just not good enough.

The existence of SIM swap attacks should have invalidated SMS as a means of sending authentication codes some time ago. Yet, today, many companies still use it.

5. Companies still do 2FA over e-mail

The first e-mail want sent in 1971. That’s fifty years ago. It was created at a time when all of the users were known to each other and were trustworthy. It was not designed to be a pillar of modern secure communication and unfortunately its security, even through several generational improvements, is just not good enough.

The ability to intercept un-encrypted e-mails in transit or compromise a user’s e-mail inbox should have lead to a move away from e-mail as a means of sending authentication codes some time ago. Yet, today, many companies still use it.

Déjà vu, anyone? 😉

6. The legitimacy of the code request is difficult to verify

MFA codes can be phished with Man-In-The-Middle (MITM) proxies or other methods. Password managers help mitigate traditional phishing attacks to some extent, although they can’t outright stop a user manually entering a password into a phishing site. The same cannot be said for most MFA codes. Aside from user vigilance, there’s very little to guarantee that the code is being entered into the right place.

Where’s the channel binding or other MITM/phish-proofing of MFA challenges and responses?

7. App swapping sucks

Logging onto services on mobile would be easy, were it not for the fact that I have to go to the home page, launch my authenticator, find the code, copy or memorise it, then switch back to the original app and paste/type it in. Where’s the integration? Switching apps is not a security measure in itself; the phone is unlocked the whole time. The only security step that could be necessary is confirmation that retrieval of an MFA is expected and intended. Everything else is just busy work for the user.

8. Too much is manual with poor integration

A person lifting a sofa

PoV: Me doing the heavy lifting for my OTP app. Image © Ljupco Smokovski via Adobe Stock education license.

I’ve complained about wearing out my pocket, scrolling too much, having to verify the site, etc. This entry in the list captures all of these frustrations and more. While I don’t necessarily think that the auto-fill feature of a browser’s password manager is always a good thing, it certainly increases convenience, permits passwords to be stronger (because they don’t need to be memorable), and reduces handling of them. We don’t often have the same capabilities for MFA, regardless of whether we want them or not.

Where’s the automatic invocation of my phone’s authenticator app when I’m trying to login to a website from my laptop? Why isn’t the code I need for a particular authentication automatically the first thing I see in my authenticator app? The answer to these and other questions like them, can be found in the final entry in my list…

9. The good methods are proprietary

Some (but not all) banking apps have nice authentication prompts and make it really easy to login to services without introducing any major security issues over more manual/troublesome MFA methods. And I love SingPass, Singapore’s centralised identity system for government and commercial smart-nationwide services. But you can’t build an Internet-wide authentication ecosystem with these technologies, because they’re either locked to a single entity, or are some form of walled garden.

It may not be fair, appropriate or safe to ask banks or GovTech to open up their authentication platforms for any system that wants to use them as a MFA mechanism, but that’s not necessary. Instead, my frustration lies in the fact that through their existence, we know that such streamlined MFA methods are possible. So where are the widely adoptable open and free versions? Many 2FA implementations are still living in the 2010s. It’s 2022 now. We can do better.

Triggered or vindicated?

Are my gripes with MFA way off the mark? Or did you finally find somebody thinking the same things as you about authentication codes? Maybe you have some ideas on how to overcome some of these issues, or think my list needs to be longer. Get in touch with me if you want to let me know your thoughts.