In the wake of the whole Twitter AP attack “thing” (we opined on it in this blog), there has been much discussion about multi-factor authentication (MFA) and whether the current authentication scheme at Twitter is reasonable for corporate use (spoiler alert: it isn’t). Of all the accounts I’ve seen in the industry press so far, I think the WikID blog summarizes it best by calling out both sides of the argument, (more usefully) discussing it in the context of this week’s newly-released Verizon DBIR, and bringing in supporting data from similar services (like Google) that do employ a multi-factor approach. They make a lucid, rational, and logical case for the value. Good for them.
In general though, from a security standpoint, I think all of us in the profession can probably agree MFA is useful. Even the folks over at PhishMe (who posted an analysis about how MFA wouldn’t have prevented the particular Twitter attack) weren’t arguing against MFA in their analysis per se — they were just pointing out that other defenses are required as well. Meaning, other attack scenarios (such as phishing) might still apply even in the presence of MFA. Because, of course, MFA isn’t a panacea — just like everything else in security. So pointing out that we shouldn’t expect it to be (as many in the mainstream journalist crowd seem to suggest that it is) is useful.
Anyway, the point is that most everybody agrees on the security. Which is why it makes it so frustrating that adoption continues to stagnate. Look, there’s a reason that twitter (the 10th most-visited site on the Internet according to Alexa) doesn’t have two-factor despite a long and storied history of authentication abuse. Before you say it, it’s not about laziness or lack of innovation capability… all one need do to dispute that is look at what they’ve done in relation to the OAuth standard, and you’ll see that they’re more than capable of “going there” technically. They just choose not to.
Look, in the face of overwhelming evidence as to the value of MFA, folks (including Twitter) are slow to adopt it. Why? I think it’s about user convenience: the fact that adoption tends to be painful and expensive for both the end user and the implementer. Who wants that?
Anecdotally, we know that users don’t respond positively to the “usability” of many MFA systems. But what’s interesting to me is that we have evidence that suggests that users hate passwords too. For example, there’s a new Ponemon survey out about customer attitudes about online authentication (spoiler #2: they hate it). The full report is here (registration required), but the synopsis (press release maybe?) at SecurityBistro gives the gist:
Roughly 50 percent of respondents in the Ponemon survey, “Moving Beyond Passwords: Consumer Attitudes on Online Authentication,” were either “very frequently” or “frequently” thwarted when conducting an online transaction (such as buying a product or completing a transaction) due to an authentication failure on the website.
So I ask myself the question of why MFA vendors don’t position a combination of factors that are all about convenience and sell that (or maybe they have and the market has responded with “no”). There’s no law that says that every MFA solution has to be hard to use. In certain scenarios, proximity cards are almost entirely transparent. Fingerprinting and identification of a device can be almost completely transparent to the end user and can provide a “what you have.” From a “what you know” standpoint, a 4 digit PIN (though relatively non-secure on its own) may be “good enough” in certain scenarios – like when you have a robust “what you have” to back it up (experience has demonstrated this with ATM machines) — it’s also highly convenient.
OK, OK, I can hear the authentication geeks out there winge-ing even as I say this. But my point isn’t that device identification is great and we should all use it… or that all we need is a numeric PIN. Instead, the point is that those two vehicles – in combination – are about as close to transparent (for the end user) as you’re likely to get. Could the two in tandem be equivalent to a password (note: not better… “equivalent”) under the right circumstances? Maybe. Maybe it could be slightly better. For example, after an initial enrollment tying the device to something else that’s stronger. Quite a few banks seem to think so as evidenced by two out of three of the banks I’ve used doing exactly that.
Meh… so this is already a fairly detailed rant for a Friday, so I’ll wind it down. But my meta-point is that I think the way to push MFA is to make users want to use it. Some people are doing this now: Blizzard springs to mind. Why is the MFA at Blizzard fun and easy to use whereas the MFA at your bank (mine in particular) is painful and hair-pull worthy? Because the folks at Blizzard have invested in “selling” it to their user base through a combination of different approaches. They sell it not on enhanced security (well, at least just on that alone) but on a combination of usability, “carrots” for the user (e.g. in-game items), and convenience.
The result? Better security and happier users. Sign me up for that.
<Note: The views presented are my own and do not necessarily reflect those of my employer.>