Why Users Secretly Snub MFA Apps

MFA apps are here to stay. But for some people, having a security app on their smartphone makes them uncomfortable. Here’s what they say.

Security-conscious organisations go to great lengths to protect their users. Cybercrime surged during the COVID-19 shut-downs. This served as a wakeup call for many businesses. As a result, cybersecurity has become a priority for many organisations, especially those that have set up remote access as part of their work-from-home arrangements.

One standard method used to enhance online security is the use of multi-factor authentication (MFA) systems.

Why are MFA protocols such a big deal?

Multi-factor authentication protocols help enhance security by requiring users to provide two or more forms of credentials to log in to their account.

While one set of user details may be easy to guess, hack, or steal, the process of uncovering more and matching them to a specific user account makes the task exponentially more difficult.

The forms taken by MFA can vary. They usually combine something the user knows (such as their username and password) with something they have (such as their smartphone). Some systems verify the user request by sending an email or SMS with a one-time passcode. The most straightforward methods involve responding to an authorisation request on a dedicated app. And for those that enjoy complexity, there are biometric USB encryption keys.

While every authentication factor helps reduce the levels of risk, some approaches are more effective than others.

Not all MFAs are equal

For example, in 2019, Google partnered with New York University and the University of California for a one-year study into multi-factor authentication strategies. The study found that SMS authentication blocked 96 per cent of bulk phishing attacks.

While this sounds impressive, the attacks that do get through means that potentially hundreds of thousands – if not millions – of accounts could still be compromised.

It’s not surprising. SIM cards can be cloned, authentication calls forwarded, and email accounts targeted by man-in-the-middle attacks. And as for biometrics – remember when you could unlock an iPhone by holding a photo up to the camera?

For these reasons, MFA increasingly takes the form of a dedicated authenticator app. Installed on the user’s smartphone and linked to the users’ account, the app receives authentication requests whenever someone attempts to access their linked platforms. This notification can take the form of a simple approval request, matching authentication codes, or entering a one-time code generated by the app.

MFA apps also offer extra layers of security. Users usually keep their smartphones on their person, and it’s common to lock smartphones with a PIN code. To access an account secured in this way would require a hacker to have access to a username, password, one specific smartphone, and that smartphone’s PIN – a feat that’s unfeasible even for the most dedicated black-hat organisations.

Why users object to MFA apps

But while many organisations embrace the security that MFA apps provide, some users feel uncomfortable with the idea of installing a security-focused app on their personal property.

“I already have a strong password.”
An 8-character password made up of letters, numbers, and symbols, provides 6,634,204,312,890,625 different potential passwords. If a bot can guess 1,000 passwords/second, it will take over 2,000 years before it hits even 1% of combinations. But while a strong password is a great start, user/password combinations can be exposed through a range of hacking activities. MFA plays an important ‘back-stop’ role in preventing password breaches from gaining account access.

“It might be spyware.”
This complaint comes from the security-conscious users who are wary of what they install on their devices. They may be aware of fraudulent apps released by shady organisations to track user movements and habits, or a well-earned dislike of pop-up notifications. Or they may be concerned over privacy, having already learned how many social media apps report user behaviours to their parent organisations for marketing purposes.

“It might steal my passwords.”
Usernames and passwords form the backbone of almost every online authentication process. Forgetting a password can be problematic, but losing it or having it taken by a third party can have extremely negative results – both for the user and the business. A cybercriminal posing as the user can do untold financial and personal damage.

“It might swipe my data.”
This concern stems from a user’s fear of being targeted by hackers and having their personal information stolen. Users might fear having their pictures, emails, or messages used for nefarious purposes, like online bullying, identity theft, blackmail, or doxing.

“It might wipe my phone.”
Users who express this concern might be aware that certain security apps can remotely lock down and wipe devices. These users might keep official documents on their devices, or treasured photos and videos. Losing these files would be problematic at best, making their fears understandable.

“It uses too much data.”
While some employees have smartphones and data plans as part of their remuneration packages, many do not. Others might like to keep their smartphones streamlined, only installing the applications they need to get by. Without fair compensation, the thought of having a work-related app hogging their precious mobile data might leave some users feeling uncomfortable.

“I don’t know what this app does.”
Many users don’t have a trusted source for digital security advice. Instead, they pick up security habits through social contacts. Without education, it’s understandable that a combination of uncertainty and responsibility might lead users to prefer login methods they know and trust.

Countering common MFA objections

You may have heard some of the objections listed above. These objections show a real need to demonstrate what an MFA app is, how it works, what it does and does not do, and why these things matter.

What MFA apps do

Most MFA apps operate the same way, storing dedicated encryption keys for specific accounts. These keys are stored in the app and nowhere else. When a platform receives a login request for a particular user, it sends an authentication request to the app. If the user approves the notification, the app uses the key to send secure approval to the platform. If the user does not respond or denies the authentication notification, the account stays locked.

Store encryption keys.

Any codes sent by a user’s smartphone are unique, generated by the encryption key stored on the device. The app polls the authentication server for requests and only sends encrypted responses when allowed by the user. Otherwise, these apps are not in contact with the security servers and do not send or receive anything else.

Generate one-time passwords.

Some authentication systems support the use of one-time passwords. The app generates these codes using the security key stored on the device. If the password matches the key, then the account is unlocked. If not, it stays closed.

Enforce authorised access.

Even though many users do practice good password hygiene, there are always chances that a password will be exposed, cracked, or even guessed correctly. Using an MFA app exponentially reduces the probability of a breach. And for the small percentage of users that insist on easy-to-guess passwords (admin123), they have the opportunity to block unauthorised access and change their password before a breach can occur.

They make sense for many users.

These apps make sense for remote workers. An employee who travels a lot might see the benefits of an MFA app, allowing them to access sensitive information while away from the office. But if workers spend most of their time in the office, there’s less of a need to enforce MFA behaviour, as remote access is not as much of an issue. Exceptions can be made when accessing networks internally to help lessen the number of login requirements.

What MFA apps don’t do

Genuine authenticator apps are easy to identify, as they come from recognised publishers and bare verified by trusted security organisations. Google, Microsoft, LastPass and others all have MFA apps available through a range of secure app stores.

They don’t take up much space.

MFA apps don’t take up much memory or CPU bandwidth. An MFA app’s average size is 73.5MB, which doesn’t leave much space for spyware and doesn’t clog a smartphone.

They don’t need extra permissions.

Authenticator apps don’t need many permissions. They might need access to a camera to scan a QR code, and network access to check for authentication requests. But that’s it. No reading emails, no accessing contacts, no forwarding user details.

They don’t wipe files.

MFA apps don’t allow employers to lock devices or wipe files. There’s no space in these apps for this kind of functionality, and they don’t require these kinds of permissions. So, there’s no way for any employer – no matter how unscrupulous – to use a genuine authentication app to spy on employees or wipe their phone.

They don’t interrupt workflows.

Most authenticator apps only interrupt a user when authentication is required. They don’t drain the batteries and only use a tiny amount of data to send and receive notifications. With a mobile allowance or the use of a company phone and plan, there’s no reason to believe an MFA app would distract users from the task at hand.

MFA apps simplify security at minimal cost to the user

When it comes to securing online platforms of all types, the weakest link is often the user. While an organisation can supply the tools and training, digital security is ultimately the individual’s responsibility.

It’s best to be safe. And MFA apps offer that safety.

In a way, an MFA app is kind of like having a concierge greet you at the entrance to a secure building. They streamline access to online assets and let you know if anyone tries to access your stuff without your consent.

No one wants to be at fault or legally liable for a data breach. And that little bit of proactive attention required by an MFA request is worth a user’s weight in gold. They protect the end-user, the business, and their online platforms – all while letting us work remotely.

And there are very few who would argue that working from home is not worth the push of a button.