Multi-factor authentication (MFA) is a critical part of our defence of information systems, but it is far from perfect. I’ve made a list of list of things I dislike about it, not because I think that MFA needs to go away, but because if we can solve some of these gripes, MFA becomes even more powerful.

What is MFA?

When I talk about MFA, I mean the authentication methods that tend to be used in addition to your username/password. Your password is “something you know”, whereas your fingerprint is “something you have”, and a token generation (physical or app-based), is “something you have”. By combining these somethings, authentication is stronger, because the likelihood of an attacker being able to compromise two (or more) of these simultaneously, without being noticed, is much lower.

[Read More]