An image of a green fedora hat, which serves as the logo for this site.Gordy's Discourse

Multi-factor authentication - an argument against it

Gordon Ansell Opinion, Security, Tech 439 words.

I hate multi-factor authentication. It is much touted as the way things should go these days but I have no time for it and I’ll tell you why.

What we mean by multi-factor authentication is usually dual-factor authentication (or two-factor authentication) where two bits of information are needed to log in. The first problem is that the secondary bit of the dual factor is often something like one’s mother’s maiden name, or the first school one attended. These are all real bits of information that can be figured out if someone collects enough intelligence on you. I think this makes for poor security.

Even if the second part of the dual factor isn’t of this nature, it’s still a problem. If it’s some code or a second password it means you have two bits of information to remember, and I think that means you’re more likely to want two easy bits of information to remember. This is particularly true when organisations ask for certain characters from the second bit of information and give you drop-down boxes to enter them. Doing this means you can’t use your password manager, so you’re going to want it to be something easy to remember; maybe something you use elsewhere that you’ve already had to remember before, and because it’s easy to remember it’s easier to crack.

I cannot for the life of me figure out how ‘mypassword’ as the first factor and ’Smith’ as the second factor (a maiden name, perhaps) is more secure than a single factor authentication of ‘GGlklk346,,pN—090’.

I think we want to encourage people to use a single, long, nonsense password per site and keep it in a password manager (itself protected by a long, nonsense password).

Sites should enforce password character lengths (maybe a minimum of 15 or so) and ensure they contain a mixture of upper and lower case letters, numbers and special characters. Some do this now anyway. Browsers should never be allowed to remember passwords — just remove this ability completely — and password managers should ensure no two passwords in its database are the same.

Yes, we’re effectively forcing people to use password managers but I think that’s a price worth paying for the extra security. If you really hate password managers then I guess you’d have to write them all down. Many would consider this a no-no but I think it’s still more secure than a bunch of simple passwords that aren’t written down.

If there’s to be a second factor at all, it should be biometric, which I don’t particular object to because you don’t have to remember your fingerprint or your face.

Thus are my thoughts on multi-factor authentication.