Single Bullet Theory

Is Multi-factor Authentication the holy grail of Security?

This question has been thrown about quite a bit lately. A wide variety of responses have surfaced.

We have a fairly short, straightforward answer:

No.  

Actually, the longer answer is:

No it is not. And stop looking for holy grails of Security.

Back To The Start

Authentication typically happens once.  At the beginning of a session.  And then is forgotten about until the session expires.  What happens after that is not Authentication’s job.

Make no mistake: Authentication is a critical process.  It is often the first step in granting access to a resource.  If fumbled, it can completely bypass any other security measures that are in place.  However, it is not fair to blame Authentication for other design flaws in the overall system.

There have been a number of articles citing a weakness in MFA for failing to prevent things such as session hijacking, Trojans, Phishing and Man-In-The-Middle attacks.

These articles all raise a very valid point: Good security solutions don’t make you secure; they help you improve your security.

MFA was never designed to fix insecure server session implementations, prevent malware from infecting your system, or alert a user they’re about to access a fraudulent website.  Anyone thinking it could do these things has a case of severely mismanaged expectations.

Refactoring Expectations

Multi-factor Authentication can solve a number of problems inherent in single-factor systems.  Passwords are weak and attackers are going to look for the easiest path in.  They won’t tear down a wall if the door is unlocked.  Good security solutions move the low hanging fruit upwards.  And passwords are obviously low-hanging fruit (or an unlocked door, if we keep mixing metaphors).  eBay, Target, LinkedIn, Yahoo, Dropbox, Facebook and countless others will attest to that.

Anyone trying to sell you Security as a packaged end-state is not looking out for your best interests.  Security is not a state or a product, it is a process and an art.  

That that end, Multi-factor should absolutely be a part of your arsenal to reinforce the rest of your security design.  It won’t prevent all attacks, but it can stop password attacks, which are much more damaging than a mere flesh wound.