Feel Free To Send In Questions Or Ideas - Tumblr Posts
This medium article is interesting. It points out some real, important flaws in MFA from a usability perspective that disproportionately impact users who are homeless, have certain types of cognitive disabilities or have mobility limitations, and does a great job explaining exactly why it's hard for members of those groups (also, side-note, it's just a pain in the neck even if you're fully abled / nurotypical). It requires you to keep track of a second device, it requires you to have a phone, it requires you to not be easily distracted, among other important problems.
However, once it moves from talking about the ways people struggle with MFA to searching for the root of the problem and concluding that it "outsources the responsibility for keeping a platform safe... onto users" and that "it's a Band-Aid... in lieu of developing systems that protect the entire platform" it seems like the author doesn't quite understand precisely why MFA exists and what it's supposed to protect against.
This (in combination with reading the notes) made me realize that most people just aren't really clear on why MFA/2FA is even a thing and why it's become so widely adopted. No, it doesn't help you if a breach happens, and no it's not offloading security from the company to the users.
So, seeing this I thought I'd take some time to explain exactly what MFA protects against and why it's not "outsourcing responsibility" as much as it is dealing with the fact that passwords suck (something which the author also points out as disproportionately effecting people with cognitive/physical disabilities!). The very real issues that the author points out are actually not with MFA at all -- it's with lazy and inadequate implementations of MFA. And I've got some great news for OP -- the future looks bright and may even eliminate passwords altogether.
MFA/2FA (same thing, different terms) exists because passwords suck. They suck to come up with, they suck to remember / keep track of (password managers make this easier, but that really is a band-aid), and they also suck to track on the back-end of whichever website you're logging in to. Passwords truly are the bane of the modern internet for far more reasons than I care to list.
The biggest problem is that people are very very bad at coming up with truly random passwords even once, much less the literal hundreds of times we're asked to do it on the modern web. Even if you only came up with one password and used it for everything, people tend to use things like their first/last names, birthdays, words relating to celebrities/interests/hobbies, and data that is generally not too hard to social-engineer because they know they need to remember the passwords in the future because those things are, well, memorable.
The reason this is a problem is because as the internet has grown and the computing power that an average person has at their disposal increases, password guessing technology has improved as well, to a point where many many passwords are guessable in mere minutes/hours. So, how do websites keep users safe in light of this? Well, they can try and add rate limits so that only a fixed number of attempts are allowed every minute/hour, but then an attacker can just lock you out by using up all the attempts. Similarly they can try and target blocks by location / IP address, but when an attacker can easily use a botnet they have access to near infinite locations / IP addresses that's totally inadequate.
We need a better way to make sure people are who they say they are. This is where MFA comes in. The idea of MFA is that you have Multiple Factors, the factors being 1) "something you know" (a password) and additionally 2) "something you have" (a phone, usb-key, etc). While an attacker can trial-and-error guess "what you know" from anywhere in the world, it's much harder for them to steal something you have. If you think of a password like a key to your house, this makes a lot of sense. Part of what makes your home key so secure is that someone would need physical access to it in order to get in.
Ok, MFA is a neat idea to solve a big problem, the question is what exactly do we do to confirm that you have this second factor, this "thing you have"? Well, there are a number of things that are used in the wild (ranked by security from crappiest to least crappy):
Type in these magic numbers you got via text message / call (thing-you-have is access to a phone number)
Use an authenticator app on your phone that will give you some magic numbers or a push notification (thing-you-have is an authenticator app)
Physical keys (most popularly yubikey) that you have to touch in order to log in (thing-you-have is the physical key)
And hardware based keys (you probably haven't seen these yet, they're the "cutting-edge" of MFA, but here the thing-you-have is a specific device)
The worst version of this for both accessibility AND security is text messages (via SMS) and phone calls. Here, the thing-you-have is access to a given phone number, which is technically a thing-you-have but suffers from a crapload of issues: 1) SMS / phone calls are notoriously insecure, 2) it requires cell service 3) it requires you to give them your phone number 4) your phone number can change or you can lose access to it, and 5) it clogs up your text messages which is just annoying.
So why does this exist? On a technical level, text/call based 2FA is the easiest/laziest way to go, especially if you already collect phone numbers (or want an excuse to). However, not everyone who has a phone also had a phone number, you're counting on the cell company to not have an outage and just,,, fail to deliver the codes, it's all flaky and gross and kinda sucks all around, but luckily it seems to be slowly giving way to our next idea!
A much better way to confirm this "something you have" factor is the authenticator app (push notification based or code based, most apps can do either). This solves a lot of the issues of phone based auth, and can even work without any internet / cell service using the 6 digit code (google TOTP or RFC 6238 for technical details, it's neat). However, it still requires you to have a phone so that you can either answer the push notification or type in the code, both of which are annoying, and, as the medium author mentions, not everyone has a phone.
This is where physical keys come in. Phones are expensive, break easily, and are easy to lose track of (temporarily or permanently), USB keys are less expensive, harder to break, and you can just leave them plugged into your computer all the time (or stick it on a keyring if you carry keys). Hardware keys are much more seamless to use (no more typing digits or pulling out your phone) while providing greater security. To log in to a website, you submit your password, tap a key, and you're in. No copying codes or responding to push notifications. (You can even use your phone as a hardware key in some cases, just by bringing it close to your computer)
You may be wondering how this is more secure than the previous options, and that's because the key now knows the website it's asking to log you in to. With the previous solutions, it would be possible for an attacker to send you a phishing link with a similar looking domain and an identical looking login page, then once you log in they could use those credentials to log into the real website and trigger a push notification, you'd type the code in to the attackers site, and then they'd copy that into the real site, granting them access. With the hardware key, it can confirm that the domain name is correct automatically, totally eliminating an entire genre of phishing attack where you're fooled by a misleading URL.
And then we reach the final version, it turns out that you don't even need a physically separate second factor -- what if the device you're using is the thing-you-have. I'm sure we've all thought it was kind of silly to receive a 2FA code on our phones to log into an app, also on our phone. But in fact, our phones and computers can have a virtual version of the physical key inside of them, and then the second factor is nearly invisible. This is the ultimate goal, MFA without the user seeing the second factor at all.
Once we have that, what are we even using the password for? Well, we do kind-of need it for adding new devices and as a backup for broken / lost devices, but for the most part we've done away with it! This is the best of the accessibility world and the security world, and this is the future we're hoping to build.
Anyways, hopefully I've been able to show that security and accessibility can and should actually go hand in hand. As the tumblr adage goes, why pit two bad bitches against each other?
resharing this oldie because i just got a new laptop and the number of times i am being required to login to things, login to a DIFFERENT app/program/password manager/authenticator, provide a number, and then login again is making me fucking INSANE