Are 2FA and MFA an Answer to Password Fatigue?

Access Management and MFA

Are 2FA and MFA an Answer to Password Fatigue?

Read more
Sep 15, 2020

“123456.” That’s the most popular password of 2020. Closely followed by “123456789.” At this point, it’s not even funny. 

Passwords failed as an adequate protection method a long time ago. Credential dumps that expose millions of passwords each year, combined with the tendency to reuse passwords across multiple apps and services, are a recipe for disaster.

And you really can’t blame the users. After all, our mental capacity as humans is limited, and, on average, people have to remember 70-80 login and password combinations. It is unreasonable to expect that users will make each password not only unique but also complex enough to pass the requirements of most modern systems. (You know the drill: 8-12 characters long, not used before, upper case, lower case, and a special character to boot.)

As companies are forced to store and manage employee and user passwords at scale, the danger of relying on passwords is immense. After all, a privileged user whose credentials have been leaked from a completely unrelated service can jeopardize an organization’s integrity through password reuse.

What are the differences between 2FA and MFA

Users need to verify their identity before they can be granted access to resources. There are three possible ways an organization can authenticate a legitimate user:

  • Knowledge—the user provides information only they know, like a password or an answer to a security question
  • Possession—the user proves possession of an item only they have, like a YubiKey or a one-time password (OTP) from a physical token
  • Inherence—the user relies on a characteristic unique to who he is, such as a fingerprint, retina scan, or voice recognition

As you can see above, various types of authentication factors can be used in both 2FA and MFA. The difference between MFA and 2FA is simple. Two-factor authentication always utilizes two of these factors to verify the user’s identity. “Multi-factor” means any number of factors greater than one so MFA could involve two or more factors (technically speaking, 2FA is a subset of MFA). 

How 2FA and MFA strengthen the security of a login/password

2FA (two-factor authentication) and MFA (multi-factor authentication) add an additional security layer on top of a password. While the password is “something you know,” 2FA and MFA add a “something you have” requirement. Nowadays, it usually takes the form of an SMS sent to a specific phone number that contains an OTP (one time password.) 

It stands to reason that this kind of a security setup will be much harder to crack – after all, a user must have access to a phone number in question, which undoubtedly means they are the real user. 

Not so fast.

What are the risks of 2FA and MFA

2FA and MFA approaches can use a significant number of factors on top of a password –  SMS, Emails, tokens. The issue is that all these methods have security issues. Multiple exploit flows can be leveraged to target password-based 2FA logins, including automated phishing tools (Necro browser and similar), Man-in-the-middle attacks, and other methods.

Another issue is that we are still relying on users who are vulnerable to phishing and social engineering attacks. There are multiple ways social engineering can be used to bypass a 2FA. 

For example, a malicious warning message saying – please verify your account with an OTP sent to your number. Simultaneously, a hacker logs into the system (assuming they already got the password/login combination elsewhere.) The provider sends OTP to the user; the user replies with their OTP to the malicious warning message. And the hacker is now inside the system.

2FA/MFA vs. “risk-based” approach

Risk-based authentication assesses each login attempt in real-time to evaluate the context behind each login. When a user attempts to sign in, a risk-based authentication solution analyzes various factors that might enhance or reduce risks such as:

  • The device used – are they using a device known to the organization? Is it a trusted/registered device?
  • Location – is it the normal location the user connects from? If not – does the change make sense?
  • Network – does the organization know the network the user connects from?

We can then calculate a risk rating based on these factors and decide further actions based on the context. Is it a high-risk or low-risk login attempt? How sensitive is the system/data being accessed? Should we allow the user access, prompt them to submit another authentication factor, or deny access altogether?

Risk-based authentication improves the user experience for trusted and verified users while keeping an eye out of user accounts’ irregular activities, and it is better than a security approach that relies on passwords alone.

However, there are some serious issues with this method too. 

Number one is privacy. Adaptive systems can use various behavior measuring techniques, including everything from keystroke sequences to the pattern of services and tabs opened on a site. Some users might prefer not to make their location known – as is their right.

The second issue is the UX. While adaptive systems give a network an added layer of protection, they do not replace other authentication methods necessary to log in. We still didn’t eliminate the hurdle of passwords.

And not least important is TCO. The more factors we add to the process of authentication, the faster the costs snowball out of control. Adaptive authentication adds complexity and, therefore, adds more weight to IT departments’ workload, hence increasing costs.

Why passwordless authentication is the better approach

The definition of insanity is doing the same thing over and over again, but expecting different results. We keep trying to improve security while still relying on passwords as the primary authentication factor. 

Here is the deal: passwords are fundamentally unsafe, no matter how many additional layers of security we try to add on top. 

As long as passwords stay in the mix, we will continue dragging all the problems of passwords with us, both for the usability, user experience as well as security.

Passwordless authentication takes a different approach. By removing passwords altogether, all the problems of passwords with usability, security, and out of control TCO become a thing of the past.

More Things That Might Interest You

Access Management and MFA

2020 in review: A year to remember

Read more
Dec 31, 2020

Access Management and MFA

Authentication vs. Authorization – What is the Difference Exactly?

Read more
Nov 5, 2020

Access Management and MFA

Single Sign-On – How Does it Work and What is Passwordless SSO?

Read more
Oct 19, 2020