Know Which MFA Technologies to Avoid—and Which to Embrace

If you don’t yet use multi-factor authentication at your organization, chances are you’re actively looking to implement it—and finding that choosing between MFA solutions can be a frustrating task.

If your MFA solution frustrates users and causes them to find work-arounds, it could be worse than no solution at all. © Kat Jayne / Pexels

To make the issue clearer, let’s look at what you should be hoping to achieve as you implement MFA. The key needs are:

  • Security. Your MFA solution shouldn’t merely be window dressing. It should significantly enhance security.

  • Regulatory or standards compliance. Your MFA solution should enable you to comply with regulations or standards in your industry, or to reduce breach risk and liability.

  • Privacy protection. Your MFA solution shouldn’t compromise the privacy of your users.

  • Low cost and labor overhead. Your MFA solution shouldn’t catastrophically impact your bottom line.

  • Low user frustration and productivity costs. Your MFA solution shouldn’t be so onerous that your users try to work around it, nor should it interrupt their real work.

In other words, an MFA solution should provide robust identity assurance without negatively impacting either your organization or your users. Given this simple list, let’s see how a variety of common MFA solutions stack up against these criteria, awarding one star for each criteria met.

SMS

Short Message Service (SMS) is in common use as an MFA strategy, but probably shouldn’t be. Surprised? Here are just a few of the reasons why SMS is a poor solution for any security need. With SMS-based MFA, users receive a text message with a one-time code that must be entered in order to complete login. But as the Reddit breach of 2018 demonstrated, this method is less secure than many imagine.  

Yes, SMS is familiar to users and generally easy on support needs, but relying on SMS means reliance on phones, which are easily lost or stolen, and extra login steps to find and enter the code.

Worse, the code delivered by SMS is anonymous—anyone who has the code can use it to log in—and the SMS system itself is woefully insecure. And because it is often an in-band form of authentication (the authenticating data resides on the same device being prompted for authentication), it does not typically satisfy standards or regulatory requirements.

Summary:  SMS is familiar and inexpensive, but it interrupts work without offering much added security or compliance.
Rating:   (out of 5)

Soft Tokens

Soft tokens rely on delivering a one-time login code via a purpose-specific mobile app. They’re generally more secure than SMS thanks to using encrypted network data to transmit the code, rather than the ancient SMS infrastructure.

Unfortunately, soft tokens come with problems of their own. Either a phone must be issued or the user must be asked to install a company app on their personal phone. Because these apps aren’t as universal and time-tested as SMS, support issues tend to proliferate and recur.

Once again, since phones are easily lost or stolen, there’s potential for tokens to fall into the wrong hands. And once again, soft tokens are fundamentally in-band, rather than out-of-band authentication.

Summary:  Soft tokens are a better phone-based solution than SMS, but incur significant costs and overhead of their own—all without delivering maximum security.
Rating:   (out of 5)

Hardware Tokens

Hardware tokens are also code-based, but they deliver their code using a separate, independent piece of hardware. This means that they’re truly out-of-band, which makes them a better fit for regulatory or compliance requirements.

That said, they’re even easier to lose or steal than phones and once stolen, offer no intrinsic protection of their own—they’ll give the code to whomever is holding them. They’re not as expensive as phones can be either in hardware costs or support overhead, but they do still incur a per-device cost that can quickly add up across an organization.

Summary:  Hardware tokens improve on phone-based security in key ways. They’re more secure and easier to support—but they’re also more easily stolen and still interrupt work.
Rating:   (out of 5)

Biometrics

Traditional biometric solutions authenticate users by measuring things like facial geometry or fingerprints. Since the authenticating data is stored in the person, not in a device, they offer true out-of-band MFA. They’re also faster to operate than code-based MFA methods, which means less frustration and less lost work time—though they do still interrupt workflows.

At the same time, biometrics are a privacy nightmare for users and many balk at using the technology at all. And despite conventional wisdom, conference demonstrations have shown that fingerprint and face scanners are actually quite easy to fool if you have access to images of the user’s fingerprint or face.

Summary:  Arguably offers better security than the previous options, but still interrupts work, can still be stolen, and comes with serious privacy concerns.
Rating:   (out of 5)

Advanced MFA

Plurilock Advanced MFA is a next-generation MFA solution that eliminates many of the weaknesses seen in legacy MFA methods. A true out-of-band solution, Advanced MFA works by analyzing tiny, highly individual patterns in user’s observable behavior, environment, and context over time.

As a fundamentally biometric technology, Advanced MFA is fingerprint-strong, but while fingerprints or faces can be traced back to real-world identities, Advanced MFA can’t—the purely numeric data it relies on thus raises no privacy concerns and it can’t be used even if stolen, a security win.

Even better, Advanced MFA requires no secondary hardware or devices to work. Best of all, it’s completely invisible to users—no need for the user to do anything unless authentication fails. It authenticates silently, as users type, click, or compute—meaning no interruptions, no training, no support overhead, and the ability to authenticate users continuously while they do their regular work.

Summary:  Plurilock Advanced MFA meets every one of our “ideal” MFA requirements—security, compliance, privacy, cost, and transparency. For most applications, it’s ideal.
Rating:   (out of 5)

The War, Not Just the Battle

Legacy MFA solutions are often a matter of willing the battle while losing the war. Yes, your organization gains the ability to claim MFA, but only at the expense of other, more important things—security, privacy, productivity, or profitability. Advanced MFA doesn’t work like that. It enables you to win the war, invisibly authenticating users one session at a time in direct support of security, privacy, productivity, and profitability.

If legacy options are your only choices, do your best to avoid relying primarily on SMS-based MFA, for which there’s really no longer any excuse. If, on the other hand, you’re not married to legacy solutions, we think Plurilock’s next-generation Advanced MFA products are the smartest choice. ■