Authentication

Securing Your User Experience with MFA

By Matt Keib

Securing Your User Experience with MFA

Saying cyberattacks are becoming increasingly common is speaking from the past. Cyberattacks happen more frequently than most people can imagine.

Even though the days are gone when a somewhat decent password would thwart unauthorized access, end users still struggle with creating strong passwords---despite the extensive security training many organizations conduct for employees. Many users continue to fall for ploys to get their passwords, like phishing attacks, resulting in significant financial losses for companies.

Multi-factor authentication, or MFA, allows you to protect your users from the security issues that plague passwords. Instead of focusing so much on strong passwords and keeping those passwords safe, MFA adds an extra layer of authentication to the login process. This means that even if users’ passwords are intercepted, MFA can prevent most cases of unauthorized access.

The only downside is that MFA introduces an additional step in the login process, which raises concerns about user experience (UX).

This article explains why MFA is good practice for any user, not just privileged accounts. It also explores how passwordless authentication can help promote a frictionless MFA login process.

The Challenges with a Traditional Password-Based Approach

Organizations that rely on traditional password-based authentication are trapped in a never-ending cycle of password rotation, complexity, and compliance policies.

Password complexity and compliance policies force users to create strong passwords with higher character counts that include special characters. This approach makes some common attacks more difficult or impossible.

For instance, brute-force attacks involve automated software that try numerous password combinations quickly using immense computational power. Complex passwords increase the computing resources for each added character, making brute-force attacks more difficult. Complex passwords deter dictionary attacks even better. These attacks work similarly to brute-force attacks, but they rely on a document that contains all the passwords to be guessed. (And yes, believe it or not, many of the most basic passwords found in these dictionaries are still used by many.)

However, attackers are always finding new ways to circumvent the obstacles posed by strong passwords. For instance, they can steal passwords via phishing---deceiving a user through a malicious email that claims to be legitimate. They can also extract passwords from unsecured databases with weak passwords, no passwords,  or poor access controls. Another method they can use is shoulder surfing, which relies on watching a user’s keystrokes when they enter their password.

Moreover, attacks don’t always come from outside your organization. Insider threats are common, where the attacker is part of your organization.

Finally, passwords can also be lost (or given away) due to bad practices such as the following:

  • Keeping passwords in a text file: Notepad files can easily be extracted from the user’s device during a backup or remote session if it is a shared computer or if the file is accidentally placed on a shared drive.

  • Keeping passwords on a Post-it, typically stuck to the computer in an office where people walk around daily

  • Using the same password for many different services: It takes but one to be breached to have all their accounts hacked. When attackers get access to a password, trying to use it for other services is one of the first things they try.

  • Sharing passwords verbally or via unsecured channels: Just like with Post-it notes, what is said can be heard, and unsecured channels like email pose the threat of interception.

  • Using personal information on passwords: Attackers often gather all the information about a defined target and then use personal information, like university graduation dates, hometowns, and the date they got married, for passwords.

  • Using obvious keyboard patterns such as “qwerty” or “1q2w3e”: These passwords are commonly found in dictionary and manual attacks.

  • Saving passwords in browsers without a master password: Anyone who has access to the user’s computer will be able to open the browser, go to the stored passwords, and see all of them (and their associated accounts) in plain text. (Don’t discount a technician checking on some computer error.)

Because of all the ways passwords can be compromised, organizations often also require users to change or rotate their passwords. This requirement doesn’t protect passwords as much as it limits the window of opportunity for attackers to decrypt and use stolen passwords.

A major downside of all these policies is that they create friction in the user experience. Users frequently forget their constantly changing and complex passwords, resulting in a rise in password-reset service tickets and lost time.

Why MFA Is So Secure

MFA is an authentication method that grants users access to a system based on a combination of two or more factors from different categories:

  • Something the user knows: such as a password, a PIN, or a personal security question

  • Something they physically have: such as a security token, a smartphone with an authentication app, or a smart card

  • Something they are: such as biometric verification methods based on unique physical characteristics of the user, like fingerprint scanning, facial recognition, or iris scanning

(As an aside, while MFA verifies the identity of a user [authentication], authorization determines what resources a user can access once their identity is confirmed. They work together to secure systems: authentication ensures the right person gains access, and authorization manages what that person can do once inside. No organization wants an administrator account to be compromised, right?)

Some of the most widely known MFA methods include an authenticator app on the user’s phone, an email sent to the mailbox used to register for the service, an SMS or a phone call to the user’s number, a device called a FIDO key, or a smart card.

For instance, a financial institution using MFA may require customers to use both a password and a one-time code sent to the customer’s phone.

MFA is so secure because most of these secondary factors are in the possession of the legitimate user (email as a secondary factor being the exception). If an attacker wants to gain access to an account secured with MFA, they will have to be in possession of the target user’s credentials and their MFA device.

 Yes, attackers can get access to a second factor. For example, SMS can be compromised by a SIM card swap or intercepting an SMS message sent unencrypted over the network. But it’s much more difficult than getting their hands on a password.

The Benefits of Passwordless Authentication

Even though MFA usually includes a password as one factor, the password is strengthened by a second passwordless authentication layer.

Passwordless authentication, as the name implies, allows users to gain access to systems without using a password. Instead, it uses verification methods like biometrics (fingerprints, facial recognition), passkeys, security tokens, push notifications on a mobile app, smart cards, email link authentication (known as magic links), or one-time passwords (OTPs) sent via email or SMS.

Passwordless methods such as facial recognition or fingerprint scanning are both intuitive and secure. They’re less susceptible to being stolen, phished, and forgotten. They also reduce login time, minimize user frustration from password resets, and provide a more seamless interaction with technology for less technical users.

Adding a passwordless authentication step not only mitigates the security issues of passwords. It also offers users a more streamlined login process.

Conclusion

Providing a good user experience is partly about seamless access, but it’s also about securing users from having their accounts and data stolen and sold as a commodity on the dark web.

Relying on traditional passwords to secure your systems leaves you vulnerable to attacks. Too often, the answer has been implementing complex password policies that frustrate your end users.

MFA lets you enhance the security of your system by adding a passwordless authentication step. Passwordless login options can simultaneously minimize user frustration, even for less technical users.

FusionAuth lets you combine MFA, passwordless, and single sign-on (SSO) to offer your users safe, simple, and quick login processes. Its authentication solutions are secure, efficient, and easy to use and implement. Plus, key features like app MFA and SSO are always free. Try it out if you want to experience the simplistic side of security.