mfa key recovery

Some SaaS tools mandate multi-factor authentication (MFA), but this is bad for security and bad UX, until someone solves key recovery.

Multi-factor auth revolves around two proofs:

Something I knowpassword
Something I havemulti factor device; e.g. smart phone with rotating code, phone number, hardware key like yubikey

MFA (depending on implementation) creates much stronger account security, particularly from leaked passwords. The problem is with humans.

If we ignore the class of security breaches where a human is deceived (e.g. phishing), we are still left with: humans are prone to mistakes. We will always lose our multi-factor device. Without the second factor, we still need some means of logging into our accounts.

Typically SaaS products solve for “lost mfa device” by introducing recovery information. Examples of recovery information are:

  • one time recovery keys
  • phone number
  • additional email addresses

Any extra “recovery” information we introduce increases reduces security. Each additional piece of information that we introduce to help “recover” accounts, is another piece of information that can be used to breach account security. Having a ‘one time recovery key’ allows total bypass of MFA. Adding a phone number allows for sim-swapping attacks.

We know that we have to solve for the bad UX of ’lost MFA device means users cannot access their accounts’. But the ways that we want to solve the problem make the account less secure.

We cannot reliably distinguish between a user who legitimately does not have their MFA device, and a malicious user who does not have the MFA device.

Humans in the security loop is also insecure. Some business make use a ‘customer support’ mechanisms to solve the lost MFA device problem. But given we started with human error being a problem that led to less secure accounts, we cannot reasonably assume that customer support humans will be any less susceptible. Putting humans in the account recovery loop exposes us to confidence, social engineering, and phishing attacks again.

Mandated MFA will not be both secure and good UX until someone solves the key recovery problem. Until we can reliably tell the difference between “legitimately lost MFA device” and “malicious actor”, we cannot build secure MFA recovery processes.