Online services have several options as they move beyond passwords to try and make accounts more secure. Think of five websites that you have a user account for. How many of them offer you greater security with multi- or two-factor authentication (MFA or 2FA)?
The move to support 2FA is happening, slowly, but a report released this week suggests that many sites are lagging behind.
Password management company Dashlane examined 34 of the more popular consumer websites in the US to see how well they supported MFA.
It scored each site out of five, based on several criteria.
They got one point if they offered SMS or email authentication. They got another for using software tokens like Google Authenticator. Dashlane clearly considers hardware-based authentication superior though, as it awarded three points for websites that offered this option. These are hardware-based cards or keys like Yubikey or Google’s Titan that must be plugged into the computer or held next to it to authenticate the user. The FIDO Alliance’s Universal Second Factor (U2F) authentication is a good example of a standard that supports hardware tokens for accessing online services.
The good news is that most of the sites tested offered some form of 2FA. On the naughty list with no points were private neighbourhood social network NextDoor, gig economy company TaskRabbit, online medical care appointment booking service ZocDoc, and retailer Best Buy. They offered none of the three categories of 2FA, forcing users to rely on passwords alone.
Only about one quarter of the sites tested (24%) scored full marks by offering the full range of options, according to Dashlane. Bank of America, Dropbox, E*TRADE, Facebook, Google, Stripe, Twitter, and Wells Fargo scored five points each and were on the nice list.
Quite a few of the performers that fell somewhere in the middle are from the fintech or financial services side. Mint, which aggregates your financial account data, electronic payment company Venmo, and financial services players Discover, Citibank, Chase and American Express all relied solely on email or SMS-based authentication, the report said. Yet NIST deprecated support for SMS-based 2FA in 2016, and users who rely on email-based 2FA are vulnerable to phishing.
Dashlane also said that clarity was an issue in many websites. CEO Emmanuel Schalit said:
Through the course of our research we found that information on 2FA is often presented in a way that is unclear, making it difficult for consumers to confirm 2FA offerings. In fact, our researchers were forced to omit a large number of popular websites from our testing simply because the sites don’t provide any straightforward or easily accessible information about their 2FA offerings.
The Dashlane report focused on desktop browsers only, and didn’t include access via mobile apps in its assessment.
As patchy as support for 2FA may be, it’s only half the story. As recent research by Google and others has revealed, most of us don’t use 2FA even when it is available.
Mike
Does Sophos Home support MFA yet?
Steve
“and users who rely on email-based 2FA are vulnerable to phishing.”
Danny, would you please explain why you made that statement? I just don’t see the connection.
Philip Andreae
Multi-Factor is a confusing term I would suggest we think about Channels, Modes and Factors.
We can use one two or three of the factors – What You Have, Know and Are. We can introduce multiple modes of biometrics. We can use alternate channels. We need to think about what and how we layer security technique and what level of risk we are willing to accept.
In the end we will come to understand it is the unique and secure object such as a physical Token (U2F), your PC or phone with a Private key or secret stored securely with a secure element, TPM or TEE paired with anything number of other factors, channels or modes.
Without this we are always going to have to measure and score to decide if it is you on the other end of the voice or digital channel.