Approaches to Multi-Factor Authentication
Multi-Factor Authentication (MFA) can be used in a variety of ways depending on the desired balance between security and usability.
Most simply, a user can be prompted to use two or more factors at every login. While this might be effective as far as security is concerned, it has drawbacks from a usability perspective. Users are often put off by frequent requests for additional factors and not all data requires the same level of protection. A more flexible approach to MFA often better serves the interests of both data providers and users.
One such flexible approach is to allow users to opt in to MFA, particularly in situations where they are primarily concerned with protecting their own data and that data is not particularly sensitive. Email service providers, for example, have an interest in protecting user data but at the same time may fear users will switch providers if security burdens are considered too heavy. In such cases, users who sign on with a single factor can be encouraged to set up MFA but not required to do so.
Sometimes a user only needs access to information that requires a minimum of protection. In such cases, signing on with a single factor, generally a password, may be preferable to using MFA from the beginning. The user is not burdened with additional login requirements and the data provider does not have to overprotect less sensitive information.
However, as soon as the user attempts to access more sensitive information or to engage in a transaction, the user can be prompted for additional factors, thus stepping up from one factor to two or more.
This approach is often taken in the financial services industry, where, for example, customers may simply wish to check their account balance or credit score. If MFA were used at the outset, users might be less inclined to access the site for such simple queries. Being able to access basic information with a single factor sign-on process can enhance user experience without jeopardizing security.
At the same time, step-up authentication ensures that when users want access to more sensitive data, such as when they want to transfer money or apply for a loan, they can be immediately challenged to provide additional authentication. They step up to MFA only when the need for heightened security requires it.
Another approach to MFA that can improve usability while maintaining security involves fine-tuning the TTL (Time to Live) of the different authentication factors. In this case, the user logs on for the first time with two or more factors so that MFA is established from the beginning. If the user continues to use the same browser and a trusted device, however, it may be unnecessary for the user to go through this entire process again for an extended period of time.
Google uses such an approach for its user accounts. If a user signs up for MFA, or what Google calls “2-Step Verification,” the user must initially log on with two factors: a password and a code provided by SMS, email, or voice over a phone. After that, provided the user continues using the same browser and machine, the user may only occasionally be prompted for a password and even more rarely challenged for an access code.
The TTL for the two factors are set for different durations, with the lifespan of the password set at a shorter interval than that of the code. However, if the user tries to access the same account from a different machine or on another browser, both authentication factors would again be required for re-verification.
With this approach, the TTL of various factors could be set to whatever lengths are required to optimize user experience while maintaining adequate levels of security.
These various approaches to MFA all involve trade-offs between usability and security. But they strike very different balances between the two. The Always On approach stresses security needs over usability concerns. The Opt In approach lets uses decide how much security they require, allowing them to shift the balance away from usability if they wish. Step-up Authentication opts for ease of use on the initial login, stepping up to MFA when greater security is needed. Time-sensitive Re-verification, on the other hand, uses MFA from the start but staggers the re-verification process to reduce demands on the user without sacrificing MFA-level protections.