|
Yeah, many users choose weak passwords, re-use passwords, etc. Maybe most people can't be trusted with creating and using passwords. But probably even fewer users can be trusted to actually print off their MFA backup codes and store them in a separate place from where they live. A single instance of theft, fire, or flood, or other unfortunate events, could permanently destroy someone's digital life, which has major impacts on their real life (e.g. many banks are online only.) Text message 2FA has the advantage that recovering your phone number is pretty achievable since carriers have physical stores you can go to with a photo ID (probably more difficult but not impossible with online-only MVNOs.) SIM swapping attacks through social engineering is definitely a risk for some people, but probably not most. Unfortunately with SS7 vulnerabilities, basically any text message 2FA code can be intercepted, so it's really unideal. I think SMS alone should not be enough for account recovery or login, but as a second factor, maybe for many people the benefits might outweigh the costs. Password managers largely fix the issue of weak passwords and password reuse. If that's too complicated, one-time use email magic links also fixes the issue. Those have their own downsides, but if a site has a "forgot my password" feature that gets reset through email, you're not losing out on a ton of security through magic links. Of course, the downside of that is that if you lose access to your email account, you're truly screwed. In the past, when email addresses were not given freely and people got email addresses through their ISPs, if you did lose access, maybe your ISP had some way for you to prove your identity (since you pay them each month) and regaining access to it. But there's effectively no customer support for free Gmail, Yahoo, Outlook, etc. accounts. Even if you own your own domain, that's just moving the issue to your domain name registrar, which also likely doesn't have a physical location you can go in person to verify at. If there was some guaranteed official way of proving your identity and regaining access to your email account, then I think that'd fix a lot of issues. Unfortunately that'd come with privacy risks, as it'd require having a real ID associated with your email. But MFA through hardware authentication devices (e.g. Yubikey) or through software MFA (e.g. Authy, Google Authenticator, etc.) could remain an option for privacy concerned users if they wished to avoid using a real ID for account login/recovery. Unfortunately no perfect solutions so far, but I think Microsoft's approach here (quite similar to many other companies) may be too risky for the general population. I think companies, universities, etc. should fully lean into secure MFA, as they can easily resolve the problem if an employee or student loses their phone or hardware authentication device. But that option doesn't exist for personal email and other user accounts. There's a huge number of people in the developing world with only a single device (a phone, no other computer) and no printer for printing off backup codes (I guess you can write them down by hand, but in practice very few people anyplace will do that.) I'm not sure Microsoft (or other companies') passwordless by default approach fits that scenario. A strong, unique password for email, and then magic links for other accounts, might be a better approach for consumer accounts. |
Thirty years have been spent incrementally improving password logins. The amount of education the public has endured on password and login security is staggering. And yet even after all this, we assess the measures insufficient to login security?
I am referring to even the advanced security crowd. How can they recover access when all devices are lost? Passwords are the only self reliant way back. Secondary email addresses are the next way. Phone number is a third way. Social network is a fourth way. But a disaster can eliminate the second, third, and fourth way all in one shot. Password remains the most important recovery tool.