The shortfalls of multi-factor authentication and why we should solve them
Dr Steve Kerrison shares his expert opinion about why we should aim to solve some of the gripes about multi-factor authentication.
Having strong, unique passwords is important to secure your information online. However, no matter how smart you are with your passwords, attackers are still looking for ways to crack them. By using multi-factor authentication (an authentication method in addition to a username/password such as a fingerprint or token generation), the authentication becomes stronger. After all, the likelihood of an attacker being able to compromise two (or more) authentication methods simultaneously, without being noticed, is much lower.
“Multi-factor authentication (MFA) gives us an opportunity to spot a stolen password, or an unauthorised login attempt, before a full authentication process is completed. It’s great, in principle,” says Dr Steve Kerrison, Senior Lecturer of Cybersecurity at James Cook University, Singapore. “But it is far from perfect. If we can solve some of the gripes behind it, MFA becomes even more powerful.”
One of the shortfalls of MFA is the negative perception that it is not entirely secure. “One-Time Passwords (OTPs) generated by apps and security tokens are usually six digits long. Thanks to the cryptographic algorithms behind them, they should be perceptibly random, making it impossible to predict what any future OTP will be,” Dr Kerrison observes. “So why is it that so frequently, the OTP looks so… un-random?” He adds that even if the OTPs are strong, patterns and repeated numbers are quite likely to be observed — with a 15 per cent chance that all six digits are unique in a six-digit OTP — which risks people trusting OTPs less.
In addition, SMS and email, even after several generational improvements, are not secure enough as forms of communication. “The existence of SIM swap attacks should have invalidated SMS as a means of sending authentication codes some time ago. Yet, today, many companies still use it,” Dr Kerrison points out. Similarly, a user’s e-mail inbox could be at risk of being compromised, and unencrypted emails may be intercepted in transit, making authentication over email vulnerable to attackers.
MFA codes can also be phished with Man-In-The-Middle (MITM) proxies or other methods, making it difficult to verify the legitimacy of the code request. “Aside from user vigilance, there’s very little to guarantee that the code is being entered into the right place,” says Dr Kerrison.
Perhaps one of the more frustrating problems with MFA is that it simply isn’t user-friendly, often containing poor integration that results in too many unnecessary steps. For example, authentication on mobile services often involve users having to go back to the home screen, launch their authenticator, find the code (possibly among dozens of separate codes), copy or memorise it, then switch back to the original app to paste/type it in. Dr Kerrison posits that “Switching apps is not a security measure in itself; the phone is unlocked the whole time. The only security step that could be necessary is confirmation that retrieval of an MFA is expected and intended. Everything else is just busy work for the user.”
Even with services that use Single Sign On (SSO), Dr Kerrison finds that he’s frequently prompted for an additional authentication factor despite having already SSO’d into one service that day — “The balance between security and convenience is not always there.”
However, good MFA methods do exist. Some banking apps — along with SingPass, Singapore’s centralised identity system for government and commercial smart-nationwide services — have well-designed authentication prompts and make it very easy to login to services without introducing any major security issues over more manual/troublesome MFA methods.
Dr Kerrison remarks, “Through their existence, we know that such streamlined MFA methods are possible. So where are the widely adoptable open and free versions? Many 2FA implementations are still living in the 2010s. It’s 2022 now. We can do better.”
Read more in Dr Steve Kerrison’s original blog post “Nine things I hate about Multi-Factor Authentication”
Find out more about our Bachelor of Cybersecurity.
Discover further information on areas of research and research strength at James Cook University in Singapore.