The (In)Convenience of Multi-Factor Authentication:
Authentication is based on one or more of three things: who you are, what you know, and what you have.
Most commonly, when applications rely on just a username and password for access, the application is relying on one authentication factor: what you know (i.e. the password to the account).
Multi-factor authentication (MFA) is when the application/software uses more than one of these options, such as what you know (a password) and what you have (a key) or what you have (your smartphone) and who you are (face ID scan).
When it comes to web applications, the usual options for the second element are a one-time code texted/emailed to the user, an authenticator application, a dedicated hardware token, or biometrics.
Why is this so important? Because, according to Microsoft, “your account is more than 99.9% less likely to be compromised if you use MFA.”
And it doesn't matter which MFA you use. Any MFA option drastically reduces the risk to your account.
This brings us to Twitter's recent MFA decision. In a relatively surprising move, Twitter announced that they would no longer support SMS as an MFA option for non-paying users.
Twitter's argument was based on security and is similar to something that the security industry has been saying for years: that SMS is the weakest MFA option available.
However, if that were truly the reason, then Twitter should remove the option entirely. Moreover, according to Twitter's own data, SMS-based MFA is overwhelmingly the most popular option used by Twitter users, with 74.4% of MFA users utilizing the option.
The question then becomes, will those users all install authenticator applications or simply drop MFA entirely?
Because MFA is a great example of where security and convenience must intersect for widespread adoption.
In the end, it doesn't how matter how secure the options are if nobody wants to use them.