I know what you’re thinking. But I ask you to read some of the arguments in this article before making judgements 🙂
Firstly, some background. I work in cybersecurity. Like many people in the cyber industry, I am a big advocate of multi-factor authentication (MFA). It is especially useful for those with poor password hygiene, or those with sensitive online accounts such as online banking or their main email account – so most people. That said, a recent experience had me thinking about the balance between security and convenience. That balance is absolutely key as user experience will increasingly become a key dependency for the take-up of cyber security controls, for both people and organisations.
Here’s the thing. I recently lost my phone for a painful 24 hours. For 20 of those hours, I had accepted that I probably wouldn’t see my phone again. As a result, I couldn’t access some important accounts. But the pain was mostly felt with my Samsung account. Because my phone had fell off my motorbike whilst driving around Hanoi, Vietnam, there was a chance it was sitting in some roadside bush and was entirely retrievable. Samsung has a ‘find my phone’ feature, but to sign into my Samsung account, I obviously needed the password. That password, like all of my account passwords, was stored in Lastpass, my password manager of choice.
To keep my password manager vault safe, I had enabled multi factor authentication using application based, one time passwords (Lastpass authenticator). Lastpass authenticator was on the phone I had lost. Unfortunately, the sign in token for my laptop, a Lastpass browser extension had expired, meaning I had no access to Lastpass without my phone. I was facing a race against time, because at some point my phone battery would be empty, leaving me with no way of locating it. In desperation, I submitted a ticket to Samsung.
Now, luckily for me, eventually a bad internet connection in Hanoi gave me cached access to my password vault using the Lastpass chrome extension. This was pure luck, and meant I could copy and paste some important passwords out of the vault and into an unencrypted note file. Yup, you heard it here first.
Samsung unhelpfully replied two days later. Luckily for me, people in Hanoi are genuine and kind. A person contacted me through a text message a Vietnamese friend had sent to the phone and it was back with me the next day.
Ultimately, strong cyber security practices had locked me out of my digital life. This had me wondering: is it really worth it? A self imposed denial of service is probably more likely, and causes more impact, than someone else getting access to and having the motivation to take advantage of my passwords.
Let’s take a moment to consider the other protection controls against a password vault being compromised.
Assuming there is no MFA, a threat actor would need to know your email/username and password to get into your account. Even then, they would need access to the email account itself to verify the new device using an emailed link. Lastpass uses brute force/password spraying controls such as temporary account lockouts and maximum number of login attempts to prevent unauthorised access.
These controls are strong presuming you have a strong, unpredictable and unique password for your account. Therefore you could argue that MFA is only required as an ultimate fail-safe. We also have to ask what the likelihood is of a sustained, targeted attack against a person and their password vault. Probably very low for the vast majority of us.
With the likelihood of a targeted attack low and the controls strong, should I really inconvenience myself by using MFA when the chances of me losing my phone are probably more likely than someone trying to gain access to my personal life?
Perhaps there are other solutions to my situation. But how complex are they and are they worth it? In a similar way to Anti-Virus, should MFA be used for those without tech savvy knowledge but not for those with it?
After this experience, I have disabled MFA for my password manager, for now at least.
"But we've always secured it this way" 