The Myths of Multifactor Authentication

Hopefully by now, everyone has at least heard of multifactor authentication.  But most people are not using it.  Google says that about 10 percent of GMail customers use it.  Based on our customer base, the adoption level for Office 365 users is higher, but not great.  And the adoption for other software is horrible.

To be clear, there are many different forms of multifactor authentication.  The most common but least secure is a text message sent to your phone, unencrypted, with a one time PIN.

While this is WAY better than just using a password, this can be compromised and has been in many cases.  Almost always, this is a targeted attack on a high value (either money or position) victim.  But not always.

A less common multifactor authentication method is to use an authenticator app on your phone.  That way nothing is transmitted at all, except during the initial setup and stealing your phone number does not allow an attacker to use your multifactor authentication.  They would have to physically steal your phone and it would need to be unlocked.  There are many free authenticator apps including from Microsoft, Google, Facebook and others.

So why aren’t people using multifactor authentication?

1. Lack of awareness.  Computer folks understand the risk and how to deal with it, the average person does not.
2. Fear.   People don’t like change, especially in situations where they don’t understand what or why.
3. I’m not a target.  The reality is that everyone is a target because these hackers send out millions of emails a day.  They have no clue who their victim will be, for the most part.
4. Only large companies need it/can use it.    Actually, it doesn’t take much.  Consumer services like Amazon, Facebook and GMail all support it.  Almost all banks support it.  There is a small learning curve, but once you get the hang of it, it is simple.
5. It’s not perfect.   That’s true, but brushing your teeth is not perfect either.  Still, most people brush.
6. I think the biggest issue is it’s not convenient. To some degree this is true.   But, as I often say when I am interviewed, is having an attacker empty your checking account or retirement account inconvenient?  More inconvenient than taking the extra few seconds to use multifactor authentication?

The good news is that it is not an all or nothing thing.

Start with your bank or brokerage account.

Add email.

Once you get used to it, it is not a big deal and way less inconvenient than having to deal with having all of your personal (AKA nude) photos posted online as many celebs have learned.

As Nike says, JUST DO IT!

by