By now, we know that passwords are not enough to protect data. They’re easy to guess and easy to steal (check Have I Been Pwned to see if any of your account passwords have been breached – chances are good they have). The tech world’s solution to the password problem has been to introduce Multi-Factor Authentication (MFA), which requires users to provide two or more authentication factors to verify their identity and protect their accounts.
But here’s the thing: MFA has some serious flaws ranging from useability to cost-efficiency and – yes – even data privacy. Yet, even as they acknowledge these issues, tech experts suggest that people should continue to rely on MFA, saying that while it’s flawed, it’s still better than not using MFA. We disagree. When there’s a problem with a security tool, we don’t think businesses should learn to live with the problem – because there is an easy way to securely and privately access and share data without relying on MFA.
In the following two-part blog series, we take a deep dive into what that looks like and how it could change the way businesses and organizations function, starting with data privacy and useability.
MFA Places Your Personal Data at Risk
Here’s one of the scariest things about MFA: it frequently relies on your personal data – which means that if hackers gain access to any of that PII stored in even just a single account they can then use that data to hack other accounts, like health records or bank accounts. That’s because MFA requires another piece of evidence to prove that you are who you say you are, like a code generated on your phone or physical token, your fingerprint, or information that only you should have – like the name of your favorite teacher or your childhood pet’s name. Personal information can be used as a primary way to authenticate you or as a backup in case you don’t have your phone or token with you.
Now, imagine your account is breached (one high profile example of this, even with MFA, is when hackers gained access to Twitter Chief Executive Jack Dorsey’s Twitter). Now the hackers have access to personal information stored in your account which they can then use to take over your other accounts. It’s not a matter of a single breach and just one account compromised – whole aspects of your digital life are at risk. This is the irony of MFA: it’s meant to protect your sensitive data but it can actually place your data at huge risk.
You Don’t Have to Give Up Your Personal Information to Protect Your Data
There is another way and it’s as simple as verifying your identity once and being done.Your identity has been authenticated and you’re in the platform. An app-specific PINcan protect your information in a way that MFA cannot. Even if someone did get your credentials, they wouldn’t be able to get to your information without the PIN. In this case, there is no need to share your personal information at any point.
So, how would this impact how you share information that needs to be protected? Say a financial advisor calls a client to review a PII-filled document. In the world of MFA, the financial advisor would ask their client for some kind of proof of verification such as the street the client grew up on. In the world of the app-specific PIN, there would be no need for further verification. Personal information is never stored in order to protect data.
Accessing Sensitive Information Should Be Simple
The example above brings us to the next point about MFA – it’s too complicated. It requires users over and over again to have to prove that they are who they say they are – through a password, followed by another form of authentication – and often this has to be done every time they have to log in. It’s exhausting for users, which is why adoption is generally low. Imagine if instead of seatbelts in cars, we had an elaborate contraption of levers and pulleys we had to put together to protect ourselves. It would be frustrating, and nobody would want to use it. That’s what MFA is like.
The PIN is like the seatbelt – simple to use and easy to adopt because all you need is that PIN to access your protected information. It makes it easy to view and share data without having to jump through all the hoops required by MFA – while still offering the same levels of protection as MFA. That means no issues with adoption, no user fatigue, and business can continue as usual.
The icing on the cake ? It’s not only more private and easier to use – it’s also cost-efficient. Come back next week to find out how.