Pros and cons of multifactor authentication. Why do users neglect the security of their personal data?
Over the past years, almost all popular postal services, electronic payment services and banks have introduced multi-stage (or multi-factor) authentication for their customers. Such measures make it possible to protect personal data from theft more effectively, but at the same time, not all users set up multifactor authentication for their accounts. What are the reasons for this situation? Perhaps, usual combination of login and password is really enough?
Types of additional protection
To answer these questions, we will briefly describe what main options for multifactor authentication exist today.
Immediately, we note that currently many users confuse multi-factor and multi-step authentication. In total, four main factors of authentication are distinguished:
- “What do you know?” (Password, answer to a question, etc.)
- “What do you have?” (Hardware key, token)
- “Where are you?” (IP address, geographic coordinates, etc.)
- "Who are you?" (Fingerprints, iris).
Authentication is called multifactorial if at least two factors are involved in the process.
For example, you enter a password to access a secure system, and then use a USB token with a unique key (two-factor authentication). But the most common scheme “enter login-password, and then code from SMS” is two-step authentication, because you know your password and code (the first factor from the list). If the code were generated only on a specific device (your smartphone, tablet, etc.), it would be two-factor authentication. However, many large web services in their documentation consider the concepts of two-factor and two-stage authentication as synonyms, which is not quite correct from a terminological point of view, but convenient for end users.
Now, many giant companies offer their users different authentication options. For example, Google users can use a familiar scheme with linking a username and password to a phone number, install Google Authenticator, or purchase an electronic key for more secure. Microsoft account holders can generate one-time security codes in the Microsoft Authenticator mobile application, available for most popular platforms.
Safe but uncomfortable
However, the efforts of developers and marketers of large companies do not yet lead to the widespread prevalence of multi-factor or multi-stage authentication. So two-step authentication is used in no more than 10% of Google accounts, although the ability to bind a username and password to a phone number is available for seven years. At the same time, the company has not yet decided to introduce mandatory two-step authentication for all clients, since it is afraid of losing a significant portion of users. There are several reasons why customers of Google and other companies do not use two-step authentication:
- Any additional steps in the familiar authentication scheme for some users are too complicated and incomprehensible. Novice users do not always understand why they need to enter their mobile phone number, more experienced clients may encounter inconveniences when using certain services (for example, two-factor authentication in Yandex is implemented outside the box, so there is no compatibility with Google Authenticator, 1password and other popular programs ).
- Many customers do not want to give a large company their phone numbers, their real location, etc. In the case of banking services, an additional stage of data protection using a phone number seems to be an “inevitable evil”, but not everyone wants to communicate their data to the postal service.
- Some customers do not want to “tie” their data to a USB key or smartphone, because the device can be lost. In this case, personal data may fall into the hands of strangers. Also in recent years, it has become clear that the most common authentication scheme using SMS codes is not ideal. In 2017, malefactors in Germany were able to get user logins and passwords to access the Internet bank using Trojan programs. Then they took advantage of the vulnerability in the set of signaling telephone protocols that is used to send SMS, and redirected messages with one-time login confirmation codes to their phone number, and then transferred the money of the bank's customers to their accounts. This case once again demonstrated that two-stage authentication using SMS codes may not be the best option (but it is still better than just entering a username and password).
Is the game worth the candle?
Of course, the existing multifactor and multi-stage authentication schemes are not yet ideal, they are not always convenient and universal. Therefore, a reasonable question arises: maybe one shall use only a "login-password" pair and not complicate one’s life? Perhaps the most optimal here is a compromise approach.
Use multifactor authentication on any sites that store your personal data (social networks, e-mail, Internet bank, etc.). Of course, this is not always convenient, but it almost always makes visiting important sites more secure. However, when using sites that are rarely visited, it is quite possible to get by with just a login and password (the password, of course, must be complicated). At the same time, remember that for critical data the use of USB-tokens or biometric authentication is more preferable than SMS codes.
We also note that in recent years, secondary protection factors that have recently been considered exotic, for example, authentication using a microchip implanted under the skin, are constantly being developed and improved. It is possible that in the near future, these new products will make our lives more convenient, but for now you will have to be content with more familiar authentication methods. And, of course, remember that even multifactor authentication does not guarantee one hundred percent protection against data compromise, but only significantly reduces the likelihood of information theft.