Heya,
Multi-factor authentication (MFA) is a critical for securing online accounts. But it isn’t perfect.
See this tragic story of a woman who lost $17,000 due to an attacker taking over her account, even though she had MFA enabled. The attacker was able to take over the account that text MFA messages were sent to.
This got me thinking. What are good second factors of authentication for customers?
First, some things to get out of the way:
different CIAM systems have different security needs; a bank needs more assurances that the person sending $1000 to someone is who they say they are than the restaurant taking a reservation; there’s no single additional factor that will work for everyone
customers differ from employees in terms of their understanding and willingness to take security measures; best practices for employees need to modified to account for friction and conversion impact
Here are some common MFA methods aimed at helping customers secure their accounts and their characteristics:
SMS/text messages:
Positives: phones capable of receiving SMS messages are very common (68% of global population), phone number can be separate from the login identifier, UX is well known, if phone number collected no additional setup needed
Negatives: vulnerable to account takeover, SMS sent over insecure network, people change phone numbers (not everyone, but some), costs more than some other options, network connectivity might be an issue
Email:
Positives: people secure their email account, often use systems like gmail which have great security teams and processes, especially good if the MFA address is different than the login id address and can’t be used for account recovery, if email collected no additional setup needed
Negatives: makes email address bigger target than it already is, not many people have two regularly checked email addresses, if MFA address is same as login id, email address access can be lost (some like school addresses are purposefully ephemeral)
Passkeys:
Positives: can’t be phished because of domain name locking and the fact the user never sees the code, standards based, relatively wide support on mobile devices and operating systems
Negatives: tied to a single device if you use common implementations or you can trust Apple/Google to sync private keys (!) across devices, portable implementations like Yubikey cost money, less widely supported on websites where you need MFA, UX still improving
Paper mail (I’ve never seen this, just include it for completeness):
Positives: higher friction, know the message is going to a real person, can be tied in with public records or provided documents for more assurance
Negatives: latency is high, may be unaffordable or overly manual in certain countries, mail can be stolen or ignored, costs more than other options, restricted to code, uncommon
Phone call:
Positives: works for anyone with access to a phone, can be automated
Negatives: subject to same SIM card/account takeover issues as SMS, requires real time interaction with users, many users don’t take phone calls from unknown numbers
Questions about identity relying on public data, such as mother's maiden name:
Positives: doesn’t require any additional devices, no additional network connectivity required
Negatives: hard to find ones that are secure/private but can be accessed at scale only by "good" actors, costs money, perfect match of answer difficult but if not required MFA less secure
Questions about identity relying on secrets provided at registration:
Positives: doesn’t require any additional devices, free
Negatives: requires user to remember, insecure if secrets are public/shared on socials
TOTP/Google authenticator:
Positives: free, simple to understand, standardized
Negatives: requires separate application, can be frustrating to uses, additional step for adoption, backups problematic, time slippage between device and server can lead to issues
Push notifications:
Positives: secure delivery, understandable UX similar to SMS
Negatives: requires you to have an application on the users device which is out of reach for many businesses, requires user to have a smart phone, phishable
The takeaway for me is that there is no perfect MFA method. Consider:
what is the risk profile of actions users can take in your application
who is your user
what actions require MFA
how invested are your users in your application
can you let users sign up and get value, then set up MFA
Dan