Vlog: MFA Tried to Fix Passwords but How do we Fix MFA?

Well, hello everybody, and welcome again to the 1Kosmos blog. My name is Michael Cichon, I’m the Chief Marketing Officer, here at 1Kosmos. I’m here to welcome Huzefa Olia, our Chief Operating Officer, to the blog for a discussion on multifactor authentication.

How are you today, Huzefa?

I am good, I’m just getting roasted in this summer heat. I’ve been hoping the temperatures drop, that’s not happening.

That tends to happen here during the dog days of August. So we are recording this, August of 2022, just for the record. This will be available on demand. Well, thanks for joining today, Huzefa. I just want to start off with a baseline. What is multifactor authentication and why do we have it? What’s the need for it?

Yeah. So multifactor authentication, if we have to explain it, if we had to explain why it was put in place first, and it essentially goes back, let’s rewind the clock and let’s look at the first stages of how a digital identity, or a digital user, would use to authenticate themselves.

So we created a proxy, because in the real world, we can essentially walk anywhere, and you know, Michael Cichon is Michael Cichon, but in your digital identity, you needed to prove who you are, and you created a proxy in the form of a user name or a password. And over time, people realize that that alone is not enough, because they cannot trust your user name and a password, a proxy of you, because that can be compromised. And that led to, let me ask you something else, or let me ask you something else or challenge you in a way to prove who you are. And that’s where the advent of multifactor authentication, and subset of it, which is a two factor authentication came into existence as well. So, that’s about where the history goes.

Okay. So most of us are familiar with this. It’s the SMS code we get on our text on our cell phone to respond to, to prove we are who we are. So, what we’ve done is we had a proxy and a password, we kind of added another proxy, which is another factor. Is this what’s broken about MFA? Well, let me just ask the question, is MFA broken then? I mean, what’s wrong with this approach?

Essentially, what is wrong in any kind of an authentication flow today, is there is no identity in the mix. Today, authentication relies on two aspects, knowledge, you remembering the password or you remembering a pin that you set, or the second is trusting the device. Essentially, if I’m sending you an OTP and it’s coming to your certain device, or if you have a TOTP, which is part of a device. And both of these, in my opinion, are band aids to a very, very big problem. And that problem being that identity is nowhere in the equation of your authentication journey.

The whole concept of you relying on a user’s knowledge, which can be compromised very easily, and there are so many different methods, some of them not even sophisticated to get the information from you to compromise what your particular credential is. And then the second is, you talk about any kind of a multifactor authentication, or sending an OTP. It’s phishable, as well as at the same time, you’re authenticating the device, but not the user who’s actually using it.

Okay, well, I’ve also heard the, talking to a few analysts, that users are generally not too thrilled with MFA. So is there a user experience issue, I would imagine?

Yes, absolutely. I mean, I think there’s this joke on YouTube, and I found it hilarious, the history of password. And the comedians essentially said that you had a six character, or an eight character password, and then that wasn’t enough. And then you wanted a capital letter in it, that wasn’t enough. Then you put a symbol in it, and then it went on. And now those have become 12 characters and 16 characters, and you don’t trust that as well, and you essentially added a multi-factored layer on top of it.

So through this entire journey of security, the one piece that has never been considered or never been brought to the equation, is the user experience. We will keep cramming more and more friction to the user, because it cannot compromise the security. I’m not saying that security should be compromised per user experience, but going back to your earlier question, why are users so irritated with this method of authentication, especially with multifactor and everything that is involved? You’re adding more and more complex layers in a simple authentication flow for a particular user, which does not need to be the case.

Right. All right, well, historically this has all made sense. I mean, technology was what it was 20, 30, 40 years ago, and we’ve used what we could, we’ve added layers on top of it, but we have these two problems now. We have an identity problem, we’ve got a user experience problem. So how is it that what we can go about resolving to solve these two problems?

Yeah. Let’s look at, take ourselves out of the digital world. And today, if you have to prove who you are when you walk into a bank, or somebody says, are you Michael Cichon? How would you do it? There would be a certain ID, and that’s about it. It’s as easy as that. So, somebody looking at your face or some form of a biometrics committed picture. And with more technology enhancements, with devices now that can take biometrics into consideration, it is time to move away from the band aids and look at a different way of authenticating the user. Biometrics is central in this entire flow to replace what the authentication flow needs to be. And then if you talk about the user experience side of it, instead of burdening the user and remembering what your 16 character password is, and now wait for that OTP that I’m going to send you, just essentially make it very, very simple for them.

Let them just swipe their fingerprint or authenticate using their face to log in. That consistently, when industry experts have rated this from a user experience standpoint and as well as from a security standpoint, is extremely rated higher, compared to the legacy methods which are out there.

So again, now a lot of us are familiar with this. We’ve had the iPhones for a while, we’ve got the face ID, the thumb ID. Is that the 1Kosmos approach? Or what is the 1Kosmos approach then, to solving this MFA problems with biometrics?

So, number one, to begin with, what we recommend 1Kosmos is, move away from traditional MFA which is there. Your SMS base codes are a TOTP that has been sent to you, and move towards a biometrics based method of logging in. Now, the device to authenticate can be your face ID and touch ID, and it’s absolutely the first step in authenticating that particular user. But essentially we also preach that that should not be the only method what the user has to use.

Because again, they’re having studies, when it comes to face ID, there are multiple different users who can register. In fact, I have a personal story when it comes to face ID, my dad was visiting and I looked at his phone and it recognized me. I had not enrolled myself onto the face ID. And it made me realize, do I look really that old, now that my dad looked that old. So again, those are technologies, or devices, where they have been proven, where there are certain gaps. And we recommend essentially looking at the user live, or what we call as a live ID. And that can be used either for authenticating into, let’s say a crown jewels, or any kind of authentication as well.

So, I use a password that doesn’t verify identity, I use an SMS code, that maybe gets me closer, still doesn’t do identity. Now I do my fingerprint on the phone, and that still doesn’t give me identity. I do my face on the phone, that doesn’t give me identity. But you’re saying we do the live ID, which gives us identity. How does that give us identity?

Because, very simple. When you register a user, you can essentially say, at first time I’m registering you I need to know who you are. And we’ve taken a look at the whole digital identity registration process and authentication and trying to bridge both of them. There is this beautiful standard of missed 863 dash three. Essentially it lays out that how can I trust a user’s identity, but assigning an assurance level to it.

So the first time when the user walks in through the gate, we go through this identity proofing journey and assign an identity assurance level to them. And as part of that particular process, essentially what we are asking the user to do is, today, similar to what you would do in the physical world, take your ID, your government issued ID, scan it, and we ask the user to enroll then their live selfie and compare both of them together. And that essentially creates that fingerprint that we establish onto the system.

Next time when you’re logging in, just use your face. We compare it with that particular fingerprint I know that is actually tied to Michael Cichon, and then we let the user in.

Okay. All right, so that makes sense. It’s passionless, multifactor authentication backed by a verified identity. So for the very first time, whether it’s a worker or contractor, or a customer, or even a citizen logging on to a government website for the very first time with a verified identity, you can have a high level of assurance that that person is who they claim to be, that goes way past a knowledge base factor, like you happen to know a password, or you happen to have an SMS code?

Absolutely. And you use knowledge factors or knowledge base authentication, God no. We definitely want to move away from those. Yes. But when, in our authentication flows, what we tell our customers is that along with passing in the factor, which can be your face ID, touch ID, or even your live ID, we can essentially give you a flag on what that assurance level of that specific user is. And in certain scenarios, specifically with respect to customers, the more I trust the user, the more I can open up my services as well. And that becomes extremely interesting for any kind of a service provider.

Well, that’s interesting, because I would imagine that has tentacles into this zero trust notion.

Absolutely. And also when it comes to the user experience side of it, when it comes to zero trust, which not a lot of people discuss.

Well, this is exactly what I wanted you to talk about, so I very much appreciate your time today. We do have an upcoming webinar on this. It’s called MFA, Tried to Fix Passwords, now how do we fix MFA? Now this particular webinar is coming up on September 22nd, 10:00 AM West Coast time, 1:00 PM East Coast time. If you’re viewing this blog after that date, of course, that webinar will be available on the 1Kosmos website on demand.

Huzefa, I really appreciate your time this morning. Thank you very much. You have a great rest of your day.

Always a pleasure. Thank you.