I have to admit — it makes me a little excited to see one of my favorite television shows collide with one of my favorite topics. It’s a rare event, so you can imagine how happy I was to see The Verge article entitled “Game of Thrones makes its stars two-factor their emails now.”
No, I’m not very fun at parties.
As the series is now at a point where it is beyond the original novels, secrecy – and security – are crucial to guarding the plot of what is yet-to-be released. Studios go to great lengths, doing everything from punitive non-disclosure agreements all the way to filming multiple endings to prevent even the actors from knowing the outcomes. It’s no wonder that keeping the bad guys out is a critical factor in keeping the silence.
Sorry - it had to be done.
As we learned in Verizon’s 2016 Data Breach Investigations Report, over 63% of all confirmed data breaches come from compromised credentials. It should then come as no surprise that adding additional security in the face of keylogged, phished, or otherwise stolen credentials is a great idea. By adding another step to the authentication journey, we gain a great deal of additional assurance that the identity of the person accessing the account is valid and genuine.
A word of caution – when choosing a multifactor approach, consider the following:
- How will this affect the user’s experience during authentication?
- How easily can the additional factor be compromised?
- What is the cost of adding complexity to authentication vs the risk of the stolen credentials?
These considerations can be weighed against your needs to identify the best MFA solution.
Digression: In my opinion, the “question/answer” is the absolute worst form of MFA.
I’m looking at you, banks.
If you provide a standard list of questions, like “mother’s maiden name” or “street you grew up on,” you’re basically adding all of the inconvenience of additional authentication steps – with none of the benefits. Thanks to social media, genealogical/historical websites (ancestry.com), and stalker apps … I mean, “personal information aggregators,” you can find these answers pretty much at will. If you force the user to select the question, they’re going to either use the same one for every site or forget it entirely, since it’s hard to push to a password manager. Just don’t do it, there are at least a dozen better ways.
I’m very happy to see some media talking about IAM strategy, especially using a phrase like “two-factor authentication” in the title. However, I was disappointed that the article didn’t have any details about the actual multi-factor approach being used.
Beggars can’t be choosers.