Multifactor authentication (MFA / 2FA) is arguably the most powerful security control deployed over the past 20 years. But it dawned on me that it isn't multi that's really getting it done. It's the fact that one of those factors has been a one-time-password (OTP or 1TP) in a token or app that changes every 60 seconds.
The unwritten math about MFA is that a single factor is difficult to compromise, and thus two of them = difficult^2. But in reality our static credentials have become easy thanks to endpoint compromise and server-side credential breaches. So our math is actually easy x difficult. And easy x difficult is quickly reduced to difficult. While the security benefits of easy and difficult differ significantly, the cost (aka inconvenience) is pretty equal. So we are towing around difficult hackability (great!) and double inconvenience (ouch!)
Do you see where I am headed with this? That's right. I'm advocating for shops to drop their static passwords and migrate to 1TP-only authentication.
It takes a while before a big shift like this becomes palatable in heavily-regulated applications. NIST will need to write a paper on this first. But for consumer apps, retail, and services where the presence of MFA has already been a bit dubious (protecting your conference registration, anyone?) I'd love to see it considered. Get rid of all your password managers, password generators, managing plugins on browsers, spreadsheets, losing plugins when you lose your computer, managing your master passwords that need to be ported to your various machines, being upset that you can't access your home password manager from your work computer, setting up an awkward situation when you don't want to share your password with your son-in-law, and on.
Related things to think about:
- Text-based 1TPs have been downgraded from difficult to merely onerous thanks to SIM-swapping.
- Cookies, IP address, and other adaptive-auth factors are also onerous and you rely on them all day when you access your favorite apps between the 1TP-timeout periods. If they are good enough for the 30 days before you are asked to re-enter your 1TP, realize they are also much better than any static easy factor.
- Onerous x difficult = a pretty good result.
- 1TPs are difficult not because it is difficult to guess a random 6-digit number, but because it is difficult to compromise an authenticator device/app and expose the seed. It is still possible but very difficult. In scenarios where it may happen the addition of that easy static password is going to do nothing for you. Put another way, when the Mossad blows off your front door while rappelling through the back window, "cutting back shrubbery from the windows" is not going to move the needle on your outcome.
- When you are down to just one factor, it becomes a mandatory and ubiquitous factor. When this is the only way to even sign up for a service to begin with, the cost and effort of convincing users to upgrade their authentication disappears. If you run a service today that allows a single password factor but encourages MFA, consider also allowing 1TP-only as an option to allow you to gauge uptake and monitor feedback without disruption.