Multi-Factor Auth: A Call to Action

Sometimes it's necessary to rally support for the right cause and in this case it's for Multi-Factor Authentication (MFA).  But why?  Identity theft is on the rise.  More and more information is being requested from consumers and stored in online systems.  New services and partnerships are extending the boundary of most organizations past their data centers.  And there are simply too many companies struggling with:

  1. Account Take Over (ATO) - when an attacker uses a compromised password list against other sites to gain application access
  2. Phishing and Man-In-the-Middle - when a user clicks on a link in an email that directs them to a bad site to capture username and password from an end-user/consumer
  3. Malicious Sites and Malware - when sites are set up to collect username and password combinations for what seems like a legitimate purpose by an end-user/consumer

Essentially, this means that username and password along with security questions are simply not strong enough controls for online business.  Further, when a nation finally moves to chip based credit cards because they are losing billions via credit card fraud, it's also a good time to determine if there is more that can be done to make technology safer across the board.  This article talks a bit about the new card technology and sadly brings up the very issue that concerns me, the thought that somehow people cannot learn security and therefore we must downgrade security measures.  This is simply not the right mindset.   Instead business should be expected to hold the bar high and teach people how to use the right options.  And the reason this matters now more than ever is that chip based credit cards will cause fraudsters to migrate to online business to continue their operations.

More importantly, consumers are left holding the bag when security fails.  Passwords aren't enough to protect your mom, dad, brother, sister, aunt, uncle, and pretty much your whole family from being impacted.   And sadly, consumers have little in terms of recourse to comfort them.  Online business can simply point at the reasonableness test as their method of proving that what they did to secure their online business was expected and reasonable.  But what if its not enough?  What if, the bar is too low and should not be tolerated?  What if, a low bar puts far too many people at risk and the right thing to do is raise the bar to make online business safer?  What if, it's time for consumers to demand better security?

What if it's time to demand Multi-Factor Authentication and better identity verification for online business?

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) also known as Two-Factor Authentication or One-time Pin/Password is a system that requires more than one form of authentication to verify the identity of an individual.  MFA is a method for ensuring greater assurance that a person is who they claim to be and that they should be authorized to gain access to a role that grants them access or permissions to do something.  It's a pretty simple process, think two forms of identification like when you start a new job or when you open a bank account.

While MFA is not the panacea, as a table-stake it has come a long way in the past decade.  In other words, there are easier options for achieving strong authentication and identity verification via multiple factors to prove you are who you say you are.  For example, Twitter developed a method to notify you when someone is accessing your account by providing push notifications to a mobile device for explicit approval.  And Google has developed Google Authenticator to give you a six digit token code to input for apps that support MFA.  GoDaddy has implemented MFA by sending a token code via text message.  And there are many other organizations providing these and other methods.  The key point is that these organizations have realized it's needed and are offering better options.  Meaning you can use them and more importantly feel empowered to demand MFA, if its not yet available.

What can a consumer do?

You have the right to safeguard your identity and demand Multi-Factor Authentication from the online businesses you interact with.  When MFA is provided be diligent in getting it set up.  Understand how the Multi-Factor Authentication method provided operates so that you can determine if something looks suspicious.  Take the steps to know how to report an issue before one happens so you can get prepared.  Stay alert and aware that attackers will continue to push on boundaries, even MFA.

For some MFA options, you also need to know that you will begin to get notified when someone else is attempting to authenticate to your account without MFA if push notifications are enabled.  Don't fret; the transaction will not be successful unless you authorize it.  In many cases, you will learn a lot.  For example, when you turn on MFA for your Yahoo email, you may learn that there are many attempts per day to gain access to your email.  Do not let this dissuade you from using MFA.

You should also make sure to use MFA for email and any services that require sensitive data, such as: financial, health, and shopping.  These types of services typically require more sensitive information from end-users.  And more importantly, email is commonly used in the workflow that protects your other accounts from being taken over or accessed without you knowing.

What can an employee do?

MFA should be implemented as part of the authentication process for all systems within a business requiring something you know and something you have to prove identity, even for employees.  If MFA cannot be applied to all systems and applications, it should be applied to the most important systems and applications.  Applications and systems that have been registered to require MFA should be kept up to date and monitored.  And by first principles, organizations should not sacrifice authentication and identity verification of its employees to alleviate productivity concerns.  It takes only a little extra effort to do the right thing and after a while less noticeable because it turns into the norm.

And as an employee, you may not know this but if your username and password are compromised and then used in an inappropriate way, you could become a suspect in an investigation.  Consider the Sendgrid breach this year where an employee's username and password were compromised (Kreb's article).   These situations do not start with the company suspecting someone outside the organization.  Organizations have to protect themselves from both internal threats and external attackers.  This means that when your employee username and password are stolen to achieve unauthorized access, it is done so without anyone knowing until it can be determined.  And some attackers use malware to monitor your actions to mimic how you might access a system to alleviate being detected. 

As an employee of an organization, you can help bring awareness to these issues and assist with educating on this important issue.  But more importantly, if you cannot immediately gain acceptance for MFA, consider your habits and reduce your browsing habits to ensure less potential for a compromise of your credentials.

Final Thoughts

It is a critical time for everyone to be aware and engage in reducing identity theft by playing their part.  Security is everyone's problem.  MFA should really not be made an option.  Businesses need to provide Multi-Factor Authentication by default for both their customers and employees.  MFA is an obligation that should be required to increase protection of sensitive data and assets.  And MFA should become part of the standard flow for establishing a user account with educational materials provided so that users can become aware/educated.

Like chip and pin, Multi-factor Authentication has been a high-bar option for a long time and has not become popular because companies haven't been required to use it.  Today, however, MFA has become easier to use because of companies like Google, Twitter, Duo Security and others united in solving the problem of increasing security while supporting ease of use.  Everyone must do their part to reduce identity theft.  There is a grass roots effort afoot that you should also know about at, which is a site dedicated to enlisting organizations to implement MFA.   We must demand better security of our vendors and employers to reduce the potential for identity theft.  And while Multi-Factor Authentication is an important step in making it difficult for attackers to take advantage of people; it is just the tip of the iceberg.

Please share this article and learn more about MFA so you can help spread the word.






Shannon Lietz

Shannon Lietz is an award winning leader and technologist focused on advanced security, DevOps, and cloud adoption.  With 25+ years experience, she has found her passion in helping others secure their technical projects to solve the world’s problems at speed and scale.  She currently works at Intuit as the Director of DevSecOps and Chief Security Architect.  She is inspired by great collaboration and high performing teams focusing her time and energy on fostering the adoption of Rugged Software practices with DevSecOps.