Passwords are a liability. They can be hacked, leaked, phished, or stolen. When it became clear that passwords on their own weren’t good enough to secure online accounts, security teams turned to Multi-Factor Authentication (MFA).
MFA adds one or more additional factors to the authentication process that act as more security layers. After the user enters their initial password, MFA asks for more proof by using other factors to validate identity.
MFA is great, but there’s still a massive problem that it doesn’t address. It does not eliminate the most insecure factor in the login process: the password.
What’s next for those who are in search of the holy grail of fundamentally secure authentication? It starts with eliminating passwords, completely.
What Is Multi-Factor Authentication (MFA)?
MFA requires two or more verification factors before an individual can access a resource.
There are different types of MFA, and not all are created equal. To unpack this, we’ve listed them below, from least secure to most secure.
- Something you know: pretty much another password. This information may be in the form of a “what street did you grow up on” style question but, since it is another “shared secret,” it’s essentially another password and has the same vulnerabilities.
- Something you have: a second device or hardware token. Another type of MFA sends push notifications, SMS code, or email to your device. A hardware token provides a code based on a timer that is not transmitted through any network.
- Something you are: your biometrics. The most secure form of MFA uses fingerprints and facial recognition stored securely on the device in a secure enclave or TPM.
Note: Biometrics stored on the cloud or over a network are a shared secret and far more vulnerable because they are essentially a password you can never change.
Adding more factors will always be better than a password by itself. Still, many traditional MFA factors are pretty weak, and the toll on users these additional factors take is not negligible. Traditional MFA bends to the mentality of “it can either be secure or easy but not both.” They lean toward security while sacrificing user experience.
But security versus usability is a false dichotomy, and now it is possible to have robust authentication that is easy to use – even easier than using just a password.
Without a doubt, traditional MFA solutions provide stronger authentication than relying on a password alone.
However, there are two significant problems.
- The user experience of logging in with MFA is time-consuming and frustrating to the point of affecting company productivity.
- Traditional MFA relies on an insecure first factor – the password – and second factors that range in their security from wholly insecure to very secure. In addition to being a very weak authentication factor, passwords can be stolen en masse and sold on the dark web, adding liability risk and cost to the organization.
Traditional MFA Adds Friction to the User Experience
To make traditional MFA work, users usually have to find their second device. They typically have to fish a code out of a text, email, or authenticator app that displays a code for only 10 seconds. Then they have to type the code in before it expires.
It’s a giant pain for users, and at scale, this costs organizations valuable time in productivity.
The average employee toggles between 10 apps per hour to complete tasks in their job description. Imagine how much time is wasted going through the motions of MFA at a company-wide level and how this impacts the bottom line, not just user experience.
Additionally, MFA solutions are expensive to buy and manage at a company-wide level. It’s difficult and sometimes impossible to implement the same kind of MFA across company apps universally. That’s because different apps work with different types of MFA.
These inconveniences add up in a big way. Traditional MFA is additional security at a high cost to convenience.
Traditional MFA Relies on an Insecure Factor: Passwords
Traditional MFA can alleviate some concerns but does not address the underlying problem: eliminating the password from the authentication equation.
Why is the password such a fatal flaw to MFA solutions?
Passwords are shared secrets.
They can be easily leaked and sold, creating significant liability for businesses.
Here’s the bottom line: If any factor in the login experience is a password, you are wholly relying on your second factor. Since passwords are so universally compromised, they hardly count as a factor at all. And passwords are at the core of traditional MFA, no matter how it’s dressed up.
Just as troubling, many of these plus-one factors are as insecure as passwords themselves.
That means there are many ways to hack MFA.
Four Examples of MFA Hacks
These examples of MFA hacks demonstrate how easily the login experience can be compromised.
- SIM Card Hijacking: SMS one-time passwords can be as insecure as the initial password in the login experience. This common form of MFA presents a large surface area for hackers to exploit. First, they use social engineering techniques to identify a victim and their phone company. To intercept the code, they request a replacement SIM card. They now receive SMS-based OTPs sent to the victim’s phone and use it to compromise the victim’s account.
- Phishing Email: Many third parties give customers the option to choose email-based MFA over phone-based MFA. This authentication method is not ideal if the email password has already been compromised in a phishing attack. The hacker doesn’t have to do any extra work to take over your account.
- Man-in-the-Middle Attack: Hackers use a poorly secured network router to intercept communications between networks while a victim is trying to log in. After they’ve hacked the connection, the hacker receives the victim’s time-based OTP that they can relay in real time to the target site. In 2019, the FBI issued a warning because these attacks were becoming commonplace.
- Fake MFA Push Notifications: Notifications are annoying, and we want to clear them. That’s why users who opt in to push notifications for MFA are accustomed to receiving and approving these messages. For hackers who possess compromised credentials, there’s a good chance that when the victim gets the MFA push notification, they will grant access without thinking of the consequences.
Because passwords are so universally compromised, hackers are almost guaranteed access once they use these methods to crack the second factor.
These downsides to traditional MFA are so apparent that neither the National Institute of Standards and Technology (NIST) nor Microsoft recommends using one-time passwords sent over insecure channels like SMS or email.
Technically, passwordless authentication is also multi-factor, but these factors’ security is fundamentally better because none of the factors is a password. Passwordless authentication that completely eliminates passwords uses vastly more secure factors – like asymmetric cryptography and biometrics built in the device – to validate identity.
This improvement over traditional MFA gives users a better experience because they don’t need to manage passwords or go through the trouble of using a second device every time they log in.
The best way to secure access is to eradicate the password, thereby eliminating the entire threat vector of password-based attacks.
Passwordless solutions that eliminate the password can also solve the friction issue if they utilize additional verification factors built into the device (biometric, security posture, etc.). With this approach, there is no need for a second device when logging in.
Beyond Identity Passwordless MFA
- Eliminates passwords so they can’t be used as a backup or leaked.
- Replaces weak factors (like OTPs) with “something you have” (a computer, phone, or tablet) and “something you are” (biometrics) as second factors.
- Establishes device possession using the biometric protection of the endpoints.
- Completes the login without requiring any out-of-band communication, eliminating SIM swaps, phishing, and man-in-the-middle attacks.
Besides providing the strongest and easiest-to-use authentication solution on the market, Beyond Identity enables continuous risk-based authentication decisions. In addition to validating the user and their device, it can also analyze the device’s security posture and enforce access policies during each login. It can enforce policies on a range of factors such as, but not limited to:
- The firewall is on
- The operating system is running the latest version
- The device has a secure enclave
- The hard drive is encrypted
- MDM and EDR are installed and working
- The device is in a safe geolocation
Security best practices have long recommended adding more layers for increased protection, but what good is that approach if it requires passwords at the foundation? Although MFA is the next best thing to passwordless authentication, it’s simply not good enough.
Traditional MFA secures the primary factor (the completely compromised password) with additional factors that are sometimes, but not always, more shared secrets.
The only way to secure access is to remove the password once and for all, thereby eliminating the entire threat vector of password-based attacks. Decoupling passwords from authentication creates a more frictionless login, better security, and easier access to all resources.