2FA & MFA: The Good, The Bad & The Ugly

2FA and MFA are methods of verifying a user’s identity using two or more factors, such as passwords, codes, biometrics, or tokens. The difference between them lies in the number of required factors: 2FA demands exactly two factors, while MFA could involve two or more factors. All 2FA is considered an MFA, but not all MFA is a 2FA. MFA is generally considered more secure than 2FA because it requires more than two factors to authenticate a user’s identity. However, both methods are more secure than using a single factor.

According to a survey conducted by Comparitech in 2022, global MFA uptake is on the rise. LastPass reported a rise of twelve percentage points on the previous year (2020), taking the global uptake figure of businesses using multifactor authentication to 57%. In addition, according to a survey conducted by Zippia in 2023, 64% of Okta administrators sign in using MFA and according to Microsoft, MFA can prevent a massive 99.9 percent of attacks. 

Whilst MFA adoption is clearly on the rise (and rightly so), and it is clearly an effective way to protect against unauthorized access, it has some drawbacks. Many of which are obvious, some less so. New technologies are emerging which attempt to deal with some of the issues, but many of the challenges remain. 
So what are the drawbacks/pitfalls of MFA solutions, despite their inherent security benefits? And are there any solutions available which tackle these challenges?

The Cost of Security: Increased Login Time

Multi-factor authentication (MFA) adds an extra layer of security to the login process, but it also increases the login time as users must go through an extra step to login into an application, which can be inconvenient for some users. However, this extra step is necessary to ensure that only authorized users are accessing sensitive information.

Employee pushback: User resistance to change 

Setting up an MFA can be time-consuming and expensive because it requires additional hardware and software. This in turn can lead to inconsistencies with setting up an MFA across a company, which can lead to confusion and frustration for employees. For example, some employees may have to use different authentication methods than others, which can lead to an erosion of trust in the newly implemented procedures. Furthermore, if the MFA system is not set up correctly, it can lead to increased security vulnerabilities, negative its sole purpose. In addition, users may be hesitant to adopt new security measures, especially if they perceive them as inconvenient or time-consuming. This can lead to a lack of compliance and put an organization at risk.

The Price of Complexity: Additional Hardware and Software Requirements

As mentioned, the complexity of MFA solutions often requiring additional hardware or software, can pose a significant challenge for some users including implementation teams and organisations. This is because MFA solutions can be difficult to set up and maintain, requiring specialized knowledge and expertise. This can become a significant barrier, particularly for smaller organizations with limited resources. However, the benefits of MFA in terms of increased security and protection against unauthorized access often outweigh the costs and challenges associated with implementation. Nevertheless, the challenges still exist and can impact the entire process. 

Cyber-crevasses: Watch the security gap! 

Security gaps can occur when using MFA and 2FA due to a variety of reasons. These include losing or damaging the device that receives the code or stores the token, forgetting or mistyping your password or PIN, entering the wrong code or using an expired code, having a poor or no internet connection or phone signal, the service provider or app having a technical issue or security breach, and being a victim of phishing, malware, or identity theft. It is important to be aware of these risks and take steps to mitigate them in order to protect your personal and business data.

MFA integration: Not always straightforward 

MFA and 2FA may not be compatible with all systems and applications. This can create problems when trying to integrate these security measures into an existing infrastructure. Organizations need to carefully evaluate their systems and applications to ensure that MFA and 2FA can be implemented effectively. For example, some legacy systems may not support MFA or 2FA, which can make it difficult to implement these security measures. Additionally, some applications may require additional configuration or customization to work with MFA or 2FA. This can create additional work for IT teams and delay the implementation of these security measures. To address these challenges, organizations need to carefully evaluate their systems and applications before implementing MFA or 2FA. This includes identifying any compatibility issues and developing a plan to address them. However, all these extra steps require considerable time-resource. What can start as a simple integration, can quite quickly become cumbersome and costly for businesses. 

Cost implications still play a significant factor

As highlighted, when implementing multi-factor authentication (MFA), one of the main challenges that organizations may face is the cost. Implementing MFA can be expensive, especially if the organization needs to purchase new hardware or software to support it.

In addition to the initial cost of implementation, there may also be ongoing costs associated with MFA. For example, some MFA solutions require a subscription fee or other ongoing costs for maintenance and support. These costs can add up over time and may be a barrier for some organizations.

Gone phishing: Traditional attacks still carry weight 

While MFA can provide an additional layer of security, it is not foolproof. Attackers can still use phishing attacks to bypass MFA and gain access to sensitive information. In fact, some MFA solutions may actually make it easier for attackers to carry out phishing attacks. For example, SMS-based MFA is vulnerable to SIM swapping attacks, which can allow attackers to intercept one-time passwords (OTPs) sent via SMS.

The fact that some MFA solutions rely on text messages or other forms of communication, results in messages being intercepted by attackers. This can allow attackers to bypass MFA and gain access to sensitive information. Additionally, some MFA solutions may be vulnerable to social engineering attacks, where an attacker tries to trick the user into providing sensitive information.

MFA fatigue: Figuratively and literally 

On-top of the other inherent negative effects on user experience outlined above, MFA fatigue can also refer to a type of cyber-attack where a hacker uses compromised login credentials to repeatedly send push notifications to a user’s device to approve the login. The hacker hopes that the user will eventually grant access to the account from fatigue or negligence. This is a brute force approach to bypass the multi-factor authentication (MFA) process.

Security over convenience – for now...

The security benefits of MFA are clear however the requirement for stringent security has not kept up with the requirement for a seamless user experience, and this is the case across a range of verticals and industries. New technologies should aim to reset the balance between strong security and a positive user experience. The key is remove security layers, but keep the same level of security, something which up until now has been incredibly challenging for cyber-tech companies to achieve, although this concept is being put to the test but some less well known pioneering security technologies.

For now, to avoid these pitfalls, it is important to choose the right MFA solution for your organization and ensure that it is properly integrated and maintained. Additionally, user education and training can help minimize user inconvenience and improve the overall user experience.