This morning I read an article on how Multi-Factor Authentication has only been implemented by 22% of Microsoft Azure Active Directory customers. Now I’m a big believer in MFA, and protect as much as possible with it. But I still find it a gigantic Pain-In-The-Ass, and thus struggle to get others to use it. Why? So many things just go wrong at all the wrong times. A simple example? I used to be able to approve Microsoft Authenticator requests on my Apple Watch. They still come through on the watch, but the approvals always fail. So now I have to dig my phone out to do the approval. Want another one? I get approval requests in Microsoft Authenticator that I can’t identify that I assume are attempts to break into my account, but in reality they could be one of my devices trying to sync and the service involved decided that would be a good time to require re-authentication. I’m never presented with enough information to make a good decision. Need another? Some service (hey Microsoft 365, I’m talking to you) will decide right at a critical time-sensitive moment that every one of my devices needs to re-authenticate. Instead of dealing with the time-sensitive issue I’m spending the morning (or whatever) trying to get my email/one drive/etc. access back. Another? My Mac keeps telling me it needs a password for a Microsoft 365 account, but has no way to enter one. And no way to trigger the authentication request to Microsoft Authenticator for me to approve it. One of my co-workers has more accounts and far more devices than I and whenever this happens I get a call (because I’ve been our Microsoft 365 admin) asking how we can make this not happen. I have spent years in fear that he will ask me to disable MFA. Another? I love the concept of hardware tokens, but I absolutely hate the reality. I never have it with me when whichever service (not just Microsoft’s services) decides its time to reauthenticate. It’s fine with my work computer, that has one permanently inserted in a USB port. But my tablet? My personal computers (where I might have one, but it isn’t the right one)? Etc. No. If I have it on a keychain I will inevitably have the other car, and its keychain, with me when a service decides to randomly reauthenticate. Another? I have services that allow multiple MFA devices, but if I don’t have the primary one with me the UI doesn’t actually let me pick the alternative one!
And I haven’t even gotten to the problem of what happens when you lose your phone, or it breaks. The recovery process can be the equivalent of fixing identity theft. Not because anything was stolen, but because there are so few ways to prove you are you. You can’t even get human beings on the phone, and then sometimes they can’t help you. I have actually awoken from nightmares in which that happened when I was in a foreign country. My wallet and phone have been lost or stolen, and all the money in the world can’t get me out of Dodge because no one will believe I’m me. They just keep asking for numbers from code generators I don’t have access to, or for me to approve requests that I will never see nor have a way to approve.
Now I suffer through the horrors of the MFA world because I assign a high value to the threat. But in a world where a lot of people still don’t turn on PINs to access their phones, and use passwords like “password”, why does anyone think that world wants to deal with the horrible user experience of MFA? Microsoft is now pushing passwordless access, and it sounds great, except that it is the MFA nightmare on steroids. Lose your phone and you might as well be a contestant on Naked and Afraid. Which is a perfect introduction to why passwords have been temptingly close to the perfect security solution, they work even if you’re are butt naked. That should be the test for any password replacement, it functions universally even if you are butt naked.
I’m sure some will catch on that the Azure Active Directory data is for businesses, which you think should be able to force their employees to use MFA. Apparently you haven’t met the business owners/CxOs who want their executive assistant, personal assistant, and certain other employees to have broad access to their resources. Not everything, in fact very few things, are properly set up for sharing. Be that within families or within businesses. With just passwords you can share things that aren’t set up to enable cross-account sharing. Or easy cross-account sharing. With MFA you are between screwed and putting a lot of upfront and recurring effort into making sharing work. So business resistance to MFA starts at the top.
In all too many cases MFA screws up people’s risk/reward calculations, turning them completely upside down. That isn’t going to be fixed by whipping them into a frenzy over the risk side. It can only be fixed by making the cost of the authentication requirement essentially zero. And the ways we are doing that are going in the wrong direction. I know people are going to bring up technologies like Windows Hello, but those are tied to specific hardware. I can’t walk up to a random strangers computer and log into my account using its camera or fingerprint reader to prove I’m me. Until we have something besides passwords that meets the “butt naked” test, we are going to have continuing resistance to MFA and password alternatives.