In a previous post, Tripwire asked contributors what their most memorable event of 2018 was. As a follow-up, guest author Bob Covello expands on his thoughts about two-factor authentication (2FA).
We in the infosec community have made enormous progress towards getting multi-factor authentication the recognition it deserves. All the respected folks in the community have been promoting multi-factor as the best protection against account hijacks.
To review, every simple account takeover of every online account could have been prevented if the account holder enabled multi-factor authentication on those accounts. More sophisticated account takeovers using SIM swaps and other more complex techniques are beyond what I am discussing here. I am only writing about the easily guessed or discovered password compromises that allow anyone unfettered access to an account.
Although we have made strides in getting multi-factor some recognition, we are still not doing a good job at getting full adoption of the platform. Most of the people I talk to still view two-factor authentication (2FA) as more of an inconvenience. We all know what happens when a person has to choose between security or convenience; security loses every time. This is a sad reality.
I have tried to remain optimistic, and I have been a champion of 2FA for many years. Who could deny the advantages of this fantastic technology? Then, the recent Azure failures happened. This was a bad moment for Azure customers and an even worse moment for 2FA advocates. Some folks recommended the use of a “safety account” that is not protected by 2FA.
This was curious to me. I am not insensitive to businesses that lost money during those Azure failures, but if we expand the idea of a 2FA backdoor account, it is not a far walk to the topic of encryption back doors.
The question that comes to mind is as follows: how can we argue against government back doors to encryption yet think to allow our own backdoor to our online accounts?
Fortunately, some voices of reason rang out from the darkness:
I hope that the 2FA engineers can make this failure a distant memory.
However, that stills leaves me wondering, what approach can we take to get people to adopt 2FA? We need to a strategy that goes beyond the emotional security response and hits on a deeper psychological level. For this, I consulted with the esteemed Doctor Jess Barker.
If you are unfamiliar with Dr. Barker, she is a unique Ph.D., working on the human side of cybersecurity. The question I posed is:
“Rather than using the usual methods of convincing a person to use a particular security mechanism, is there a way that can touch on a deeper psychological level? (Please note that “the usual methods” consist of begging and pleading; there has to be a better way!)”
Jess offered this as an approach:
“We can look to behavioral economics for some ideas on how to get better engagement with 2FA. Ideally, 2FA should be on by default. People will often not bother opting-in to something, but likewise, if that something is on by default, they also won’t bother opting-out. The UK government did this for pensions in 2012 and membership of such schemes increased by five million in the few years that followed. Social proof can also be really powerful in shaping behaviors: essentially, people are influenced by what other people are doing. It would be great if we could say “the majority of people use 2FA!” to convince more people to use it, but sadly, I don’t think this would be accurate (https://cyber.uk/2fa/). However, we could say something like “people who want to stay safe online, use 2FA.” Some organizations have been clever in incentivizing people to engage with 2FA; for example, MailChimp offers a 10% discount over the first three months when an account-holder sets up 2FA. It would be really interesting to see the statistics associated with that. Finally, when I’m working with an organization to raise awareness and encourage positive behavioral change, I find it really impactful to show people why we recommend a certain behavior (for example, how easy passwords are to compromise) and give them really clear guidance on pursuing the positive behavior. (I love the website https://www.turnon2fa.com/ for this.)”
I told you she was unique! Thanks for that, Dr. Jess!
2FA is not entirely fool-proof. I am familiar with the method of presenting a fake login page that also presents a 2FA field. 2FA information is then ported from the attacker’s server to the real login page, (thus compromising the 2FA mechanism) but again, that is a much more sophisticated, and usually targeted, attack method. The majority of internet users do not use 2FA, so the pickings are easy.
I am confident that a new approach to 2FA adoption may yield good results.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.