How Not to Do MFA

July 16, 2022

I keep saying I am going to make this site prettier, but then I get busier with other things. So, while I'm busy not making this prettier, I'll tell you some stories about how not to implement multi-factor authentication. (Side note: I hate multi-factor authentication. More about that later.)

In offering technical assistance to a local non-profit organization and a church, I have the pleasure of using some services built by folks that helpfully make multi-factor authentication worse than it has to be. These services are: Xero, Twilio, and Mailchimp. If you want to build a system that doesn't piss off the user while still adding a thin veil of security, learn what not to do from these three.

Problem number one: Xero helpfully allows only two options, none of which are WebAuthn. Your first option is what Xero calls a "backup email," because apparently, one email address isn't enough. Your second option is to use an authenticator app. However, beware: If you use an authenticator app on your phone, and you lose or replace your phone, you'll have to email Xero Security to reset your MFA. Reset it yourself when you are logged into the account? No, no. Email security.

One thing Xero does get right, that few rarely do: Text message is not an option. If you choose text messaging for multi-factor authentication, don't even bother, because SMS does nothing useful when it comes to MFA. Never mind that SMS is built on SS7, a networking technology the phone company didn't build with security in mind. Never mind the Israeli company selling tools to compromise phones to the highest bidder. And certainly never mind Russian trolls or far eastern police states. Just asking you for your one-time code is surprisingly successful. (If only my bank would understand this.)

Problem number two: Like Xero, Twilio requires you contact support to reset MFA, even if you are already logged in and passed MFA. This means that if you are in the process of, say, switching phones, you have to wait for a support rep to helpfully reset your MFA for you. Y'all, it's 2022, already. Google, Facebook, and a slew of others let you add and remove multiple factors at will, provided you are signed in and pass MFA. In today's economy, it is easier to allow your users to securely self-serve than it is to hire people.

Problem number three: Mailchimp takes the annoyance a step further. Like Xero and Twilio, they don't support WebAuthn, which makes MFA tolerable for me. But they take needlessly difficult a step further, and only let you stay logged in on any given browser for two weeks. Google, Facebook, and pretty much anyone else that wants me to use their service want me to stay logged in. But not Mailchimp. Have a cookie, and take a hint: A known device, like a browser with a previously saved cookie, is a second factor. It's also a way to reduce friction and stop needlessly pissing off your users.

The bottom line is that multi-factor authentication sucks. But, if your going to implement it, do it in a way that doesn't immediately piss of your users. Setting it up is complicated enough for most people, so there is no reason whatsoever to add more complexity to it. Quite the opposite, actually. If you want your users to use it, take a moment to understand your threat model, so you know where you can reduce friction without sacrificing needed security.

So, in short, fuck MFA. Well, that's all for now. Next up (maybe): How not to secure your users passwords by arbitrarily expiring them.