Decades into the campaign, the effort to wean users off simple password protection hasn’t gone very well. Fingerprints, iris scans, tokens… these methods have all been tried and met with only limited success. The security industry’s best chance yet? It’s a sort of half-measure that lets users keep their passwords but adds a second element (or “factor”) to logins.
However, data about the uptake of two-factor authentication (2FA) means this once-promising strategy also hasn’t succeeded. A combination of usability, fallibility and just-plain stubbornness has preserved the role of plain-old passwords at many places.
What’s so fallible about 2FA? It often relies on consumers’ smartphones. A bit like Social Security numbers in the U.S., it’s a role smartphones weren’t designed to play. So, many implementations haven’t proven to be robust.
Help might be on the way, however, as mobile carriers are working together on a solution. If they pull it off, perhaps two-factor might finally catch on with the masses — but that seems a distant possibility at the moment.
2FA or not 2FA?
Dismal data points for two-factor uptake are easy to find. The latest: 90 percent of Gmail users still haven’t turned it on, according to The Register, even though Google introduced two-factor tools seven years ago. Grzegorz Milka, a Google engineer, revealed this depressing reality at the Usenix conference in January 2018. When asked why Google didn’t require two-factor, Milka gave the answer almost all security professionals would.
“The answer is usability,” Milka told The Register. “It’s about how many people would we drive out if we force them to use additional security.”
Only 28 percent of people use 2FA anywhere, CyberScoop reported — and more than half of Americans don’t even recognize the term. That’s not much to show for a nearly 10-year campaign.
Why So Much Hate for 2FA?
At sites like Amazon, Facebook and Instagram, it’s really not that hard to turn on two-factor. Users can do it within a few clicks. The real reason for user indifference might not be usability so much as the irregularity. It seems each implementation of 2FA is slightly different.
One site requires users to enter an SMS text message that will be sent to their phone — woe to that user with a nearly dead cellphone battery. Another will ask for a token code generated by an authenticator app. Facebook generates its own token from within its app. Perhaps the state of affairs is not as bad as the 150 passwords that the average consumer must remember to navigate their digital lives, according to Dashlane, but the inconsistency itself can be maddening.
Is 2FA Really That Great?
Making matters worse, the most popular implementation — the something-you-know and something-you-have kind, which requires SMS text messages — isn’t all it’s cracked up to be. In fact, it’s been cracked, and it’s quite possible consumers have caught on.
Cybercriminals have used a variety of techniques to intercept authentication codes sent over mobile networks — rendering SMS nearly useless as a second factor. However, these attacks don’t seem to be in widespread use yet, so it can be said that two-factor SMS is still better a single password.
Yet, as with all such techniques, criminals will continue to share it and slowly make SMS only about as safe as the passwords themselves. Security professionals already concede this point. As The Verge reported, the National Institute of Standards and Technology withdrew its support for SMS-based 2FA in summer of 2016, citing interception and spoofing risks.
A Glimmer of Hope for 2FA
A consortium of mobile carriers led by AT&T, Sprint, T-Mobile and Verizon announced recently the creation of a “next-generation mobile authentication platform.” Calling themselves the Mobile Authentication Taskforce, the group promised in 2017 to be working hard on the spoofing and interception problem. In March 2018, the Mobile Authentication Taskforce revealed a few details about its plans in a statement.
“The [group] has been working with operators around the world to bring a consistent and interoperable, secure identity service and this task force will strengthen that effort by enabling a simple user experience quickly and conveniently in the US market,” said Alex Sinclair, chief technology officer at trade group GSMA.
The Mobile Authentication Taskforce also said in the statement that it had developed a technique that would utilize the “collective network intelligence” of the carriers. The strategy includes a “cryptographically verified phone number,” inspection of characteristics like phone number tenure, account type and IP address, as well as other advanced analytics that will be used to assess risk.
Further details are still elusive. However, the group promised it would begin testing soon, launch a website later this year and make the solution available by the end of the year. Meanwhile, the carriers’ chance to seize a privileged spot in the authentication game might already be slipping away. Token apps like Google’s Authenticator, which doesn’t require network access to generate a code, seem to bypass the carriers.
But IT professionals don’t need to wait around to see who wins that battle. Users can be forced to add another factor to their logins, of course, but perhaps there’s a better way. Some organizations lure users to turn on 2FA by giving them a discount when they do. And sometimes, an incentive is better than a threat.