Jan 12, 2024 - Technology

A simple security feature is proving difficult to actually use

Illustration of a recursive tunnel of hands holding smart phones.

Illustration: Shoshana Gordon/Axios

Setting up a simple security feature on online accounts has become so convoluted and confusing that even a U.S. government agency and top cybersecurity vendor struggled to get it right.

Why it matters: Enabling multifactor authentication (MFA) — usually inputting a code sent to your phone or using an authenticator app to log in to your accounts — is go-to cybersecurity advice to fend off hackers.

  • But that advice is useless if no one knows how it works and websites keep changing their MFA implementation policies, experts say.

Driving the news: The U.S. Securities and Exchange Commission is investigating a hack of its account on X, formerly known as Twitter, that resulted in a cybercriminal posting a false announcement that national exchanges could list Bitcoin ETFs.

  • While the SEC has not commented on how this happened, X said Tuesday that it confirmed that the account didn't have MFA activated.

Meanwhile, Google Cloud's Mandiant said Wednesday that a hacker used a brute-force password attack to break into its X account last week.

  • "Normally, [two-factor authentication] would have mitigated this, but due to some team transitions and a change in X's 2FA policy, we were not adequately protected," the company said.

Zoom out: MFA is designed to help stop simple password-based attacks by linking someone's account to their phone number, an authentication app, or another form of authentication.

  • In theory, even if a hacker had compromised someone's legitimate password, their scheme would be halted without access to the user's phone.

The big picture: Each website handles MFA differently. Some require all users to have it, some offer only text-based login codes, and others still don't offer it at all.

  • For example, X made its most popular form of MFA — text-based login codes — a premium feature in March. If users wanted to continue to have MFA, they needed to download a separate application on their phones to get a code instead.
  • MFA adoption was already low at X before the change: Only 2.6% of users had any form of two-factor authentication turned on, as of a July 2022 report, and of those, about 74% used the text-based option.

What they're saying: "A lot of the sites that we leverage allow you to use them in an unsafe way without it being super clear that you are doing that," Rachel Tobac, CEO of SocialProof Security, tells Axios.

  • "I would like each site to think of themselves more like a car: How does your car tell you that you're currently driving without a seatbelt on?" she says. "It has visual indicators, it has audio indicators, it's not going to let you keep going sometimes."

Between the lines: In today's security landscape, it's usually up to users to turn on MFA on their accounts — and they just aren't doing it.

  • Many websites make it difficult to turn on the feature, leaving the option buried in account settings.
  • Some users also get frustrated when they have more barriers to logging in to an account.

By the numbers: Fewer than half (48%) of employers mandate employees use MFA at work, according to Barracuda Networks' State of MFA report in October.

  • Microsoft said in February that only 28% of its users were using MFA as of December 2022 — and 99.9% of compromised user accounts didn't have MFA on.

Yes, but: The kind of MFA that's available matters. A lot.

  • MFA that relies solely on a phone number is typically more vulnerable to attacks than MFA that is compatible with authentication apps offered by Microsoft, Google and others.
  • Hackers are able to overtake someone's phone number using a tactic called SIM-swapping, which would give them access to a text-based login code.

The intrigue: The technology industry can easily change this dynamic if companies work together to make MFA a requirement for their sites' user accounts, Tobac tells Axios.

  • Sites like GitHub and Google have already started to mandate MFA for user accounts.
  • "It should be at least extremely obvious and easy to turn it on, if not required," Tobac says.

Be smart: If MFA is available for your critical online accounts — such as bank accounts and email inboxes — turn it on now.

Go deeper