(AKA, “Alan Is Running Out Of Ideas For Post Titles.”)
A quick recap.
In Part 1 we looked at why keeping your personal authentication credentials safe is important.
In Part 2 we explored how passwords are increasingly becoming unfit for purpose.
In Part 3 we had a brief segue into why people inherently struggle with coming up with secure passwords and how we can perhaps improve on this.
In Part 4 we had a flirtation with the notion of “something other than a password” and went paddling into the heady pool of MFA. Problem solved! Right?
Well, mostly. Welcome to Part 5 where we shine a light onto the Magic Bullet that is MFA.
From the outset I will caveat this piece by saying that in the vast majority of cases, any form of MFA is good enough for most people most of the time. Google claims that (as of 2018) since implementing hardware-based MFA the incidence of successful phishing attempts across its 85,000-stong workforce is precisely zero. If an attacker is trying to defeat your MFA-secured account then it’s likely to be a targeted attack rather than some random call centre idiot with a near-impenetrable accent claiming to be “Kevin from Microsoft” (this genuinely happened to me).
MFA at it’s heart is nothing special. All we’re really saying is that a password is a single point of failure, so let’s turn the key in the lock but also shoot the bolt at the top of the door; let’s ask “are you sure?” when you click [delete] on a file; let’s wear belt and braces so you don’t get caught with your pants round your ankles like something out of a 1970s sitcom.
But is it perfect? No. Not least because, people aren’t perfect. Let’s take a look at a few solutions:
Emailing a single-use website link (this and similar are often referred to as a One-Time Passcode or OTP). This is great, assuming that your email hasn’t been compromised! Of course, even if you choose to secure nothing else with MFA, the email account where all your “I forgot my password” links direct to should be your Number One Priority and you can’t really do that with an email to itself.
A code sent as a text message (remember, “something I have”). Convenient but comes with a number of flaws including requiring mobile reception. If an attacker has physical access to your phone then popping up the notification code on the lock screen is a security setting which many people fail to disable; on a locked phone it’s the work of seconds to pop the SIM out and into another handset before requesting the code; and if you’re a high-profile target then it’s not impossible for someone to clone phone numbers.
A phone app. This is likely the best solution for most people. You log in somewhere, an app on your phone goes “is this you?” and you say “yes” (or of course, “no”!) A primary flaw here is alert fatigue: if you’re getting a pop-up every five seconds asking to verify a login, many people will eventually agree to it just to shut the damn thing up.
Biometrics (“who you are”). This one is fun and it really boils down to what you’re protecting. Facial recognition can tell the difference, but a fingerprint scanner doesn’t know whether you’re awake or even alive [EDIT 2024/01/01: higher-end modern devices use ultrasonics which can detect a pulse]. If you have your phone locked to guard against an abusive partner, they could unlock it with a fingerprint in your sleep and you’d be none the wiser unless you’re a light sleeper. A mugger or law enforcement could unlock it by force.
Hardware. Tying credentials to a device such as a laptop is effective… until you lose the device or it dies one day. Google’s ‘dongle’ solution mentioned in the head of this article requires someone to spend actual money on a physical device and it still requires some other means of recovery should you drop your keys down the toilet.
This is not intended as an exhaustive list, rather a taster of why even with good security we shouldn’t be complacent. There is little point in investing in high security locks if we then leave the keys dangling in them. Security is always going to be a trade-off against convenience.
The bottom line is this. Any form of MFA is the single best thing we can all do to improve our security posture today. Just don’t leave your unlocked phone in the back of a taxi or on a pub table.
Thanks for reading.