My distrust of multi-factor authentication's account recovery story

July 10, 2022

A bunch of third party websites really want you to use multi-factor authentication these days. Some of them aren't giving some people a choice about it; for example, PyPI recently mandated MFA for sufficiently popular projects. I have decidedly mixed feelings about this in general, and I've realized that one reason for them is that I don't trust the some of the potential failure modes of multi-factor authentication. Specifically, the ones related to 'account recovery', also known as what happens when things go wrong with your MFA-related devices.

There's no general account recovery problem with MFA. For example, if the MFA hardware token from my employer was lost or destroyed, I'd report it and various processes would happen and a new one would show up and get registered to me. If the MFA I used with my bank was lost, I'd go to my bank branch to talk to them, and eventually things would get reset. But both of these situations have some things in common. I can actually talk to real people in both situations, and both have out of band means of identifying me (and communicating with me).

Famously, neither of these is the case with many large third party websites, which often have functionally no customer support and generally no out of band ways of identifying you (at least not ones they trust). If you (I) suffer total loss of all of your means of doing MFA, you are probably completely out of luck. One consequence of this is that you really need to have multiple forms of MFA set up before you make MFA mandatory on your account (better sites will insist on this). People advise things like multiple hardware tokens, with some of them carefully stored offsite in trusted locations. This significantly (or vastly) raises the complexity of using MFA with these sites.

More broadly, this is a balance of risks issue. I care quite a bit about the availability of my accounts, and I feel that it's much more likely that I will suffer from MFA issues than it is that I will be targeted and successfully phished for my regular account credentials (or that someone can use 'account recovery' to take over the account). If loss of MFA is fatal, my overall risks go way up if I use MFA, although the risk of account compromise goes way down.

(As a side note, this is likely not PyPI's situation. PyPI is apparently giving people security keys, and is clearly in touch with these people through additional channels. If PyPI considers you and your package critical, it's very likely that you can recover from an MFA loss. PyPI here is much more like my employer than it is like, say, Google. But most random websites that ask me to enable MFA are much more like Google than PyPI.)

(This isn't my only issue with 'you must have MFA' requirements, but it's a starting point.)


Comments on this page:

I think most discussions of security and MFA don't do a good job of examining all 4 access avenues: normal login, online password reset, online account recovery, and human/phone customer support. Often the methods for each are different, and attackers can attack all 4 avenues, or pick the weakest one. Maybe a good subject for a future post. Thanks.

By Mike at 2022-07-11 08:36:04:

PyPI is apparently giving people security keys, and is clearly in touch with these people through additional channels

This does not seem to be the case.

I got the email about PyPI now considering one of my packages "Critical" without any prior action, establishing additional communication, verification or confirmation on my part. As far as PyPI should know, I'm just a random person on the internet with an email who registered there and uploaded some thing that people happen to be using.

It's in their prerogative of course - free hosting can come with any kind of rules and restrictions they like - so don't really mind, but don't think it's anything more than just that, additional inconvenience on devs to tighten the security.

(there's also a good recent post by Armin Ronacher exploring PyPI topic in more detail)

By John Wiersba at 2022-07-11 12:41:05:

This post reminded me very much of this recent discussion on Lobsters: I've locked myself out of my digital life (or on Hacker News).

By Greg P at 2022-07-12 10:19:38:

Firstly, in all situations, one needs to guess the likelihood. Lets say one uses U2F without any SMS/mobile number backup. Sure, if all 3 of my U2F keys are lost then I lose the account but what is the probability of it? Very low. Insurance companies guess the likelihood, so does boeing and airbus or the harddisks. One can never 100 % backed up.

But the likelihood of credential stuffing or some one getting the phone number/SIM cloned at a shop is higher (especially in US).

Secondly, what is the acceptance of inconvenience.

1. Lost U2F key or 2. Hacked account

«I think most discussions of security and MFA don't do a good job of examining all 4 access avenues»

I had put a discussion on some aspects of this here:

http://www.sabi.co.uk/blog/20-two.html?201107#201107

«Often the methods for each are different, and attackers can attack all 4 avenues,»

If someone is such an attractive target that someone else is willing to invest a significant amount of effort, that is budget, to compromise their accounts, they have a big problem, and 2FA is not the most pressing issue. https://xkcd.com/538/ https://www.schneier.com/essays/archives/2001/02/pgps_vulnerabilities.html

Written on 10 July 2022.
« The Linux load average does mean something (although maybe not much)
It feels surprisingly good to block Bingbot from my blog front page »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jul 10 23:31:11 2022
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.