Have you ever found a user at your company who actually likes using multi-factor authentication (MFA), either time-based one-time passwords (TOTP) or push-based MFA? Either method adds friction for users by necessitating a second device for logins while increasing the cost to attackers. However, both have problems. SMS MFA is widely regarded as insecure because of the proliferation of SIM jacking attacks that allows for intercepting SMS-delivered MFA codes— but TOTP MFA is also phishable.
MFA push notifications are also trivially easy to overcome. People’s attention can easily be exhausted. Look no further than Uber’s recent security incident in mid-September last year; that was the likely entrypoint Lapsus$ exploited in order to gain access to Uber’s internal systems.
Moreover, TOTP and push MFA are difficult to use frequently. They don’t vet that you’re logging in on a known device in a known location. They require use of a third-party authenticator app. Users lose their phones, and it’s difficult to have codes available on multiple devices. Some authenticator apps do support backing up TOTP secrets to a cloud account although backups are not typically enabled by default, which leaves users hanging out to dry if they lose access to their authenticator app.
Back when I joined Discord, a staff engineer on my team had been pushing for us to adopt “WebAuthn”, and soon. I’d heard of it of course, but they pointed us to a thread from Dev at Figma chronicling their adoption of WebAuthn. WebAuthn and other hardware-based MFA mechanisms significantly reduce the incidence of account takeovers (ATOs) at companies like Google and Coinbase:
In 2022, after completing our migration from Google Workspace to Okta as our primary Identity Provider, our focus turned to answering this question - Our corporate user authentication strategy is great, but how can we continue to improve on it? We decided then was a good time to roll out WebAuthn everywhere.
This has been a transformative step for our security posture, and we want to walk you through how we did it, including both choices we made that worked out great and choices we made that we wish we hadn’t made. Read on, and we can hopefully help you with your migration!