Why is MFA so hard to adopt?
Face it, digital passwords have been used since they were invented in 1961 at MIT ( https://www.dashlane.com/blog/a-brief-history-of-passwords). Passwords have also been really bad for just as long. Why? Because it’s easy. It’s easy to re-use that same password for every site, then it’s easy to remember.
Setting long passwords isn’t hard either. Use your favorite quote, or some obscure line from a song your parents listened to when you were a kid. The hard part, is using a different password for every site or account, and then remembering it.
“But I use a password manager….”
Use a password manager they said. This has been a mantra for years, even I use one, and I encourage others to use them too. For years I encouraged one specifically…. Until they got breached, and the attacker downloaded ALL of the vaults. Then it was discovered that the only piece of information actually encrypted in the vault was the password itself. Not the target, not the username, just the password. Shame, shame, shame. (I haven’t used that one in a long time, and now use one that I host in my own house)
Which brings me to the topic of this article. MFA, Multi-Factor Authentication, or 2FA, Two-factor Athentication. What is it? First, it is the use of something you are, or something you have. Start with your regular username and password combination (1st factor, something you know), then in addition, use something else too (2nd factor). For example, when I login to the credit card app on my phone, the app opens, my username and password is entered, then I have to provide my fingerprint, or enter a code texted to me. This is an example of using 2FA, or using 2 factors (password + code) to gain access to my account.
This doesn’t sound hard, right? It truly isn’t hard, once you do it consistently. But….. You knew there had to be a “but” in here somewhere. The use of 2FA/MFA is inconsistent. It still isn’t offered everywhere. To make things worse, when it is used, it is often done poorly (using SMS codes for example), and the end-user often has little input on the matter.
Recently at the Hybrid Identity Conference in NYC (HIP 2023), Microsoft shared that the use of MFA on its Azure (Entra ID) platform is up to 30.7% from about 9%. This is absolutely huge when you consider how big the EntraID platform is. There is a caveat to that number. That is only of the enterprise customer organizations where they can gather metrics. Great improvement, but only one platform, with limited visibility.
Why is 2FA/MFA so hard for everyone to adopt? Again, passwords are easy. But that isn’t the real root cause in my opinion. Yes, we humans, often do things because they are “easy”. But the real reason, is because it takes lots of large organizations, and a really long time for something to become mainstream enough to change normal behavior. Google, just in 2023, made 2FA a requirement on it’s accounts. It was turned on by default in 2021, but could be turned off if the user chose.
Another reason it is hard for people to adopt, since not every site or account offers it, is that it is inconsistent. SMS code, fingerprint, TOPT (Time-based one-time passcodes, 6 digit rotating code entered after providing username and password), hardware key, are the popular options. Add smartcards, hardware passkey (new to the landscape), phone call, approve/deny prompt in a specific app, also add to the plethora of options. SMS and phone calls, are, by far, better than nothing but the worst methods to use. A phone call may only ask the user to press the ‘#’ key doesn’t validate a specific identity, and SMS can be hijacked through SIM swapping.
If we eliminate the weaker methods (SMS, Phone, Email), the remaining options, for the most part, provide good choices to help protect an account. We are still faced with the fact, that many companies (too many in my opinion), fail to enable any options, and often refuse to answer questions about it from outsiders.
Why doesn’t every account offer it?
What do I do about it?
First, if the option (any option) for 2FA/MFA is available, use it. Even if it’s just SMS, it is still better than nothing. Protection begins with the account or the identity. Protecting that has to be the start of being “safe”r, and more secure online.
When do I use this?
All the time, on every account possible. If a given account, Facebook, Google, Microsoft, your bank, your brokerage account, etc. offer some type of 2FA/MFA as an option, turn it on and use it everytime. Especially if you log into shared computers (i.e. library workstations).
How do I set this up?
The steps to set it up vary by platform. But some basic items to keep in mind. Decide which authenticator app you want to use. There are serveral of them including MS Authenticator, which happens to be my app of choice. Outside of the specific vendor accounts, these apps can be used for the sites that use TOTP (Time-based one-time passcodes), which are (usually) 6 digit codes that change every 30 seconds. After you enter your username and password on a given site, there will be a field (sometimes on another page) to enter this code. Each site will often have a FAQ or link to instructions how to enable the option and set this up. Worst case, ask someone.
The bottom line…
The fact is that security is ever evolving and changing. It doesn’t have to be a scary thing. This is one more link in the armor. Perhaps one of the most important. If you, like me, have far too many accounts to keep track of, take your time. Start with the accounts most important to you. For me, that’s the financial accounts that were priority. Then social media, cloud storage, and everything else. You will have your own strategy.
CJ on Tech 
Leave a comment