Are 2FA and MFA an Answer to Password Fatigue?

SDO Marketing Staff | September 15, 2020

“123456.” That’s the most popular password of 2020. Closely followed by “123456789.” At this point, it’s not even funny. 

Passwords failed as an adequate protection method a long time ago. Credential dumps that expose millions of passwords each year, combined with users’ propensity toward reusing passwords across multiple apps and services, are a recipe for disaster.

Now, we really can’t blame the users. After all, our mental capacity as humans is limited, and, on average, people have to remember 70-80 login and password combinations. It is unreasonable to expect that users will make each password not only unique but also complex enough to pass the requirements of most modern systems. (You know the drill: 8-12 characters long, not used before, uppercase, lowercase, and a special character to boot.)

As companies are forced to store and manage employee and user passwords at scale, the danger of relying on passwords grows immense. After all, a privileged user whose login credentials have been leaked from a completely unrelated service can jeopardize an organization’s integrity through password reuse.

What is password fatigue and how does it affect online security? 

Password fatigue refers to the feeling of being overwhelmed or frustrated by the number of passwords one has to remember and manage. It can lead people to use the same weak passwords, or write them down, which can compromise their online security

How 2FA and MFA strengthen the security of a login/password

2FA and MFA add an additional cybersecurity layer on top of a password. While the password is “something you know,” 2FA and MFA add a “something you have” requirement. Nowadays, it usually takes the form of an SMS sent to a specific phone number that contains an OTP (one time password).

It stands to reason that this kind of a security setup would be much harder to crack and could help prevent a data breach. After all, a user must have access to the mobile phone in question, which undoubtedly means they are the real user.

Not so fast.

What are the differences between 2FA and MFA?

Users need to verify their identity before being granted access to resources. There are three possible ways an organization can authenticate a legitimate user:

  • Knowledge—the user provides information only they know, like a password or an answer to a security question
  • Possession—the user proves possession of an item only they have, like a YubiKey or a one-time passcode (OTP) from a physical token
  • Inherence—the user relies on a characteristic unique to who they are, such as a fingerprint, retina scan, or voice recognition

As you can see, various types of authentication factors can be used in both two-factor authentication (2FA) and multi-factor authentication (MFA). The difference between MFA and 2FA is simple. Two-factor authentication always utilizes two of these factors to verify the user’s identity. “Multi-factor” means any number of factors greater than one so MFA could involve two or more factors (technically speaking, 2FA is a subset of MFA).

What are the risks of 2FA and MFA?

2FA and MFA approaches can use a significant number of factors on top of a password –  SMS, emails, tokens. The issue is that all these methods have security issues. Multiple exploit flows can be leveraged to target password-based 2FA logins, including automated phishing tools (Necro browser and similar), Man-in-the-middle attacks, and other methods.

Another issue is that we are still relying on users who are vulnerable to phishing and social engineering attacks. There are multiple ways social engineering can be used to bypass a 2FA. 

For example, a malicious warning message saying – “please verify your account with an OTP sent to your number.” Simultaneously, a hacker logs into the system (assuming they already got the password/login combination elsewhere.) The provider sends OTP to the user; the user sends an OTP to the malicious warning message. And the hacker is now inside the system.

2FA/MFA vs. a “risk-based” approach

Risk-based authentication assesses each login attempt in real-time to evaluate the context behind each login. When a user attempts to sign in, a risk-based authentication solution analyzes various factors that might enhance or reduce risks such as:

  • The device used – are they using a device known to the organization? Is it a trusted/registered device?
  • Location – is it the normal location the user connects from? If not – does the change make sense?
  • Network – does the organization know the network the user connects from?

We can then calculate a risk rating based on these factors and decide further actions based on the context. Is it a high-risk or low-risk login attempt? How sensitive is the system/data being accessed? Should we allow the user access, prompt them to submit another authentication factor, or deny access altogether?

Risk-based authentication improves the user experience for trusted and verified users while keeping an eye out of user accounts’ irregular activities, and it is better than a security approach that relies on passwords alone.

However, there are some serious issues with this method too. 

Number one is privacy. Adaptive systems can use various behavior measuring techniques, including everything from keystroke sequences to the pattern of services and tabs opened on a site. Some users might prefer not to make their location known – as is their right.

The second issue is the UX. While adaptive systems give a network an added layer of protection, they do not replace other authentication methods necessary to log in. We still didn’t eliminate the hurdle of passwords.

And last, but not least important is TCO. The more factors we add to the process of authentication, the faster the costs snowball out of control. Adaptive authentication adds complexity and, therefore, adds more weight to IT departments’ workload, hence increasing costs.

Why passwordless authentication is the better approach

The definition of insanity is doing the same thing over and over again, but expecting different results. We keep trying to improve security while still relying on passwords as the primary authentication factor. Not so sane.

authentication factor. Not so sane.

Here is the deal: passwords are fundamentally unsafe, no matter how many additional layers of security we try to add on top. As long as passwords stay in the mix, we will continue dragging all the problems caused by passwords with us, for usability and user experience as well as security. Passwordless authentication takes a different approach. By removing passwords from MFA altogether, all the problems of passwords with usability, security, and out-of-control TCO become a thing of the past.

Passwordless MFA can also solve the fatigue problem. Remember, with most approaches, typing in passwords is still step one. Everything piled on after that is something else that adds time and complexity. A passwordless approach to identity verification can take place faster on a smartphone containing fast biometrics – a fingerprint or retinal scanner – or a combination of a physical key and push notifications to a smartphone or PC. All without typing in passwords or OTPs. 

Adaptive methods can even give users added flexibility to define how they wish to be contacted or take the next step in the verification process. 

Password Fatigue FAQs 

What are the risks of using weak passwords or reusing passwords across multiple accounts? 

Using weak passwords across multiple online accounts can increase the risk of those accounts being compromised. Hackers can use stolen passwords to gain unauthorized access to sensitive information or carry out fraudulent activities like identity theft. It’s vital that you avoid using a single password and instead use a strong and unique password for each online account to minimize the risk of cyber attacks.

How can password managers alleviate password fatigue? 

A password manager can ease password fatigue by generating and storing strong, unique passwords for all of your personal accounts. This eliminates the need to remember multiple user credentials and simplifies password management. However, they can also be vulnerable to attacks such as phishing or malware, and if not properly secured, can compromise user privacy. Plus, the cost and features of password managers can vary depending on the provider. While these managers can be a useful tool, they should be used with caution and the provider should be carefully selected.

How can passwordless authentication help beat password fatigue? 

Passwordless authentication can help beat password fatigue by eliminating the need for users to remember multiple passwords. Instead, biometric authentication or token-based authentication methods are used to verify the user’s identity, providing a more secure and convenient authentication process. This can help to reduce the burden on users of managing multiple logins and minimize the risk of password-related attacks.