Wed 01 November 2017


Multi-Factor Authentication Best Practices

I have spoken at conferences to encourage application developers to implement two-factor authentication (2FA), also known as multi-factor authentication (MFA), in order to address the inherent problems with username+password authentication systems. Enabling users to set up multi-factor authentication is one of the best ways to improve application security and protect user data.

Multi-factor authentication can take many forms and provide varying levels of protection. I believe the current best practice for multi-factor authentication is to offer users the following options:

  1. USB-based FIDO U2F hardware keys
  2. time-based one-time passwords (TOTP)
  3. single-use recovery codes

Users should be encouraged, perhaps even compelled, to choose more than one of these options. Otherwise, there arises a significant risk of users getting themselves locked out of their accounts if they, for example, lose their U2F keys or TOTP code generators. While such predicaments could theoretically be addressed by out-of-band customer service requests, that requires customer service staff to reliably and correctly authenticate users via telephone calls and other inherently insecure mechanisms. No matter how you look at it, account lock-outs yield poor user experiences, customer service hassles, and security risks, and therefore account lockouts should be avoided at all costs.

So if the user selects U2F, the system should encourage the user to also set up TOTP and/or single-use recovery codes. One might go so far as to not even activate multi-factor authentication until at least two methods are set up.

TOTP is a standardized protocol and thus should be offered in such a way that it works with commonly-used mobile apps such as 1Password, Authenticator, and Authy. TOTP is vulnerable to phishing attacks and thus not as secure as U2F keys, but unlike U2F keys it can be readily used on mobile devices, which is an argument for encouraging users to set it up even if they normally use U2F keys for everyday access.

Single-use emergency codes are not very useful on their own, but they are straightforward and pair well with both U2F and TOTP. The primary challenge is ensuring that users store these recovery codes in a password manager or other secure location.

While multi-factor authentication presents challenges for both application development and end-user experiences, it is increasingly important for developers to offer it as an option to users who have the requisite knowledge and motivation to utilize it.

Have I missed any important best practices? Other comments you’d like to share? Reach out and let me know.