It really does amaze me how we hurt ourselves. Think about it, we want people to use Multi-Factor Authentication, but do not use SMS. Oh, use Google authenticator or Duo’s product. Better yet use a Yubikey or some other hardware MFA solution. All good ideas but let us get realistic.
With MFA you need to know what the site and login system will accept. Can you use a Yubikey or an authenticator app? Is SMS the only option available. Now think about this, is an app that much better? How easy is it to use? I know I use Google for some apps, and I have to go into the authenticator app which is an extra step as it is. With sites that only give me SMS as an option, it pops on my lock screen or smart watch. easy to see and quickly type in the code.
Duo’s App will show on a lock screen, but I still find I have to unlock my phone to actually get the app to work from the notification. Still an extra step, but not as awkward as Google’s authenticator where I have to flip between screens if I am using the phone for the site. Duo allows you to just say, yes allow, not always a code per se. Definitely a better solution in my book, but I do not see it used as much on public sites I go to.
Phone based solutions also have one other drawback. Your phone gets stolen, you have potentially lost control of the accounts. They now have your e-mail to reset passwords and the authenticator to confirm with.
Now Yubikey I only know of, and have not used, but there is one thing I hear people worry about with this hardware MFA solution. What happens if you lose the stick? I also have not seen how something like a Ubi Key works with tablets or phones, where you do not have a USB port to plug it in. If you use some special dongle, then you can have an awkward physical situation with holding both the phone and the Yubikey while trying to work on the tablet/phone.
Yes SMS has issues, but it is better than nothing, and it is easy for the everyday person to use without any real training. Yet we bash it in front of them. What does that do? Simple turns them away from even using any sort of MFA system. Now we have made them less secure.
There are other areas where we do this same sort of contradiction, and I plan on doing some more posts about them in the future. Right now though, I will let you all stew over this example.