More locks should lead to more security. That was the promise of Multi-Factor Authentication (MFA). So why has account takeover fraud more than doubled in the past few years?
With millions of passwords stolen and published online, requiring an extra layer to log on has always seemed like a good idea. What began decades ago as Two-Factor Authentication (2FA) has evolved into many different form factors — from hardware keys, to five-digit PINs, mobile SMS PINs, software tokens, to biometrics, and beyond.
Today we are still in something of an MFA hype cycle. Interest has boomed over the last decade. But, too often, enterprise security teams have blindly adopted the technology without question. Some even believed it would be the end of their security anxieties.
MFA is in Crisis
Now that cycle may have reached its peak. Buried on page 209 of celebrated analyst Mary Meeker’s annual 2019 Internet Trends Report was a chastening fact — MFA adoption is now going backwards .
Specifically, usage by websites around the world has declined in the last five years (from 55.3% in 2015 to 52.3% in 2018), according to her source — an analysis by Google researcher Elie Bursztein of dongleauth.info and data on the many MFA methods used by thousands of sites.
For MFA fanatics, it’s time for some overdue self-reflection. The great hope has foundered. Why has the silver bullet failed to have its intended effect?
I believe the answer has little to do with security itself. Sure, most MFA is built on top of the same, vulnerable shared-secrets approach as passwords. And yes, I know you’ve seen vendors reblog the same tired articles about MFA security issues.
This isn’t another rant about the security of 2-Factor authentication or a debate over which modality is better or worse. I believe the main driver for MFA’s stagnation is a flawed user experience.
The Friction Factor
Here’s something most c-level technology executives overlook — people hate MFA — the traditional, outdated, and passwords-based MFA. In a recent survey , 74% of security professionals say their users complain about it. Of course, any additional step creates inertia and kills usability. Want to drive away millennials? Just add more factors to your login experience.
Consumer e-commerce businesses know this. When was the last time you were asked for an MFA code during online check-out? Friction at check-out is such a critical driver of shopping cart abandonment that Europe’s new Strong Customer Authentication (SCA) requirements will wipe out €57bn in online sales, almost 10% of the continent’s total , according to a 451 Research projection for Stripe . It’s no wonder most merchants that have the option choose to pass on MFA and will instead, “Take our chances with the hackers.”
Many enterprises do force their employees to jump through these hoops — but the employees are notoriously good at finding ways around MFA. You know who I’m talking about. That coworker who writes every password on a sticky note — that design department that shares a Secure ID token taped to the wall — and there’s the contractor who visits the office once a week and leaves a YubiKey constantly plugged into their laptops.
All of these practices are a security nightmare for any admin. But, when inconvenience is imposed upon users, they will develop their own workarounds, often ones that are as bad as the original problem MFA was supposed to solve.
Think about the device you’re using right now to read this. Did you use a password to log in? Was there any type of MFA involved?
It is an irony of the IT landscape that, despite so many individual applications and services requiring a secondary factor, the device required to access them in the first place often does not. MFA is perversely absent from workstation logins — that vital first gate in to the corporate kingdom.
In recent years, many companies have deployed MFA on VPN and cloud systems access — good for remote workers who beam into machines at the head office. But not only are these users still a small proportion of the employee base, the industry has overlooked the fact that desktops don’t stay on the desk anymore. Today, work laptops are shared, left unattended at coffee shops, and double as personal home computers — and rarely ever do they require more than a short password to log in.
Locking your bedroom door is useless if you sleep with your front door wide open — it’s futile.
Focus on Removing Friction
Authentication is now at a pivotal moment. Vulnerabilities are increasing — often not for lack of additional security measures but because of them. It’s been a vicious cycle for authentication this past cycle:
As my colleague likes to say, “ It’s time to demand better from authentication vendors .” We already see security and IT teams making a strong case for accelerating user adoption, and now is a good time for MFA buyers to put user experience at the front and center.
My advice for these teams would be: When you meet security vendors, don’t jump straight into feature comparisons. You’re speaking with security experts, so have an honest discussion with them on security. Question suppliers on their user experience and simplicity. Usability, speed and satisfaction — those are the hurdles that are holding back adoption. If we can drive adoption forward together as an industry, we can solve the MFA gap .
With outdated, traditional MFA now being deprecated by many organizations around the world , the authentication renaissance is already upon us. The rise of True Passwordless MFA is a novel method of authentication that ditches the shared secret-based approach while maintaining the necessary additional authentication factors. Building on top of work done by the FIDO Alliance in this space, we are seeing strong support from category leaders like Google , Microsoft , and Mastercard for passwordless authentication.
Gartner predicts that, by 2022, 90% of midsize enterprises will implement passwordless methods in more than 50% of use cases, up from 5% in 2018. The goal of ubiquitous, usable MFA can still be realized, if enterprises are prepared to approach the solution from a different angle — not by adding friction factors, but by subtracting steps. In other words, stop counting factors, and focus on removing the password altogether.