MFA today is both 'simple' and non-trivial work

January 10, 2024

Over on the Fediverse I said something a while back:

I have a rant bubbling around my head about 'why I'll never enable MFA for Github'. The short version is that I publish code on GH because it's an easy and low effort way to share things. So far, managing MFA and MFA recovery is neither of those; there's a lot of hassles, worries, work to do, and 'do I trust you to never abuse my phone number in the future?' questions (spoiler, no).

I'll deal with MFA for work. I won't do it for things I'm only doing for fun, because MFA makes it not-fun.

Basic MFA is ostensibly pretty simple these days. You get a trustworthy app for your smartphone (that's two strikes right there), you scan the QR code you get when you enable MFA on your account, and then afterward you use your phone to generate the MFA TOTP code that you type in when logging in along with your password. That's a little bit more annoying than the plain password, but think of the security, right?

But what if your phone is lost, damaged, or unusable because it has a bulging battery and it's taking a week or two to get your carrier to exchange it for a new one (which happened to us with our work phones)? Generally you get some one time use special codes, but now you have to store and manage them (obviously not on the phone). If you're cautious about losing access to your phone, you may want to back up the TOTP QR code and secret itself. Both the recovery codes and the TOTP secret are effectively passwords and now you need to handle them securely; if you use a password manager, it may or may not be willing to store them securely for you. Perhaps you can look into age.

(Printing out your recovery codes and storing the paper somewhere leaves you exposed to issues like a home fire, which is an occasion where you might also lose your phone.)

Broadly, no website has a good account recovery story for MFA. Figuring out how to deal with this is not trivial and is your problem, not theirs. And while TOTP is not the in MFA thing these days, the story is in many ways worse with physical hardware tokens, because you can't back them up at all (unlike TOTP secrets). Some environments will back up software Passkeys, but so far only between the same type of thing and often at the price of synchronizing things like all of your browser state.

However, all of this is basically invisible in the simple MFA story. The simple MFA story is that everything magically just works and that you can turn it on without problems or serious risks. Of course, websites have a good reason for pushing this story; they want their users to turn on MFA, for various reasons. My belief is that the gap between the simple MFA story and the actual work of doing MFA in a way that you can reliably maintain access to your account is dangerous, and sooner or later this danger is going to become painfully visible.

(Like many other versions of mathematical security, the simple MFA story invites blaming people (invariably called 'users' when doing this) when something goes wrong. They should have carefully saved their backup codes, not lost track of them; they should have sync'd their phone's TOTP stores to the cloud, or done special export and import steps when changing phones, or whatever else might have prevented the issue. This is as wrong as it always is. Security is not math, it is people.)


Comments on this page:

TOPT can be trivally backed up - for example, the various KeePass-derived password managers support it, and you can sync across clients, keeping the same password wallet on both desktop/phone.

Ah, my bad, I misread the statement about backup, and agree that it's a problem with physical devices, but not TOPT

My TOTP app, Lockdown, syncs seamlessly between my iOS and macOS devices using iCloud, and I was able to write in an afternoon a backup script that exports to a HTML file you can print or save it: https://blog.majid.info/lockdown-export/

I do prefer FIDO, but there are indeed websites that will limit you to two or even one key (looking at you, PayPal). Keeping a spare Yubikey in the office is a simple disaster recovery plan.

By Polar at 2024-01-11 13:25:12:

In my experience as a System Administrator the hassle of training folks on MFA, setting it up 30+ times with each user, and making it required to give the company and each user a higher threshold of security significantly out weights the possible lose of data and trust. Many password managers have MFA built right in which makes the process even more streamlined for less experienced users.

For me, personally, I would never go back to not using MFA for anything I see any value in. From a pet project I don't want to be hacked into that could spread malware or a video game I paid for. This is the world we live in and if security must be ignored to have fun you are setting yourself up for disaster IMO.

By Ian Z at 2024-01-11 17:34:23:

I have some of the same gripes, but here's what I do:

- I never use the QR code, only the ASCII key and I type it manually.

- I let Github etc. "trust" my home desktop so MFA is only required once per month or something.

- KeePass and friends are for the birds. I have a micro SD card with an encrypted filesystem where I keep my valuable passwords, including the MFA recovery codes. It's almost read-only so I don't expect it to fail before my carbon based systems do :-P

- I have a Yubikey but the only thing I use it for now is unlocking the computer after suspend. I got it for MFA on the work AWS account but that is now in the rear mirror.

Written on 10 January 2024.
« How far back we want our metrics to go depends on what they're for
An old Unix mistake you could make when signaling init (PID 1) »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed Jan 10 22:49:15 2024
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.