Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Out with the old, in with the new: making MFA the norm

It seems it’s finally multi-factor authentication’s (MFA) time in the limelight. A recent Wells Fargo commercial touts a movement beyond the password with strong authentication. Bank of America enabled passcode-free mobile login with fingerprint. The White House released the Cybersecurity National Action Plan (CNAP), expanding upon Executive Order 13681, with a focus on securing accounts with MFA. Betty White’s on board, too. The attention is well-deserved – and MFA is here to stay; organizations are implementing and consumers are adopting. lists about 350 websites that support two-factor authentication (2FA, herein mainly referred to as MFA). In 2013, 25% of Americans had used 2FA in the past; but by 2015, this number had increased, as 39% of consumers were using 2FA. We’ve come a long way. Relying parties (RPs) have recognized MFA’s business and user benefits. Now it’s time to go further: push MFA to the point of ubiquity, focus on consumer preference and the MFA capabilities of their devices, and make MFA sustainable in the ecosystem and economy. Getting consumers on board A few user-centric obstacles have prevented MFA from reaching its full potential. The password remains a typical factor in MFA, so consumers still have to remember passwords. In many cases, consumers must type them in from a mobile device – not so fun with long passwords created under complex composition rules. Consumers can have more than a handful of online accounts for accessing bank accounts, health records, email, social media accounts – and the list goes on. Sixty percent of consumers find usernames and passwords cumbersome to use. While the password has its place, simply adding a second factor onto a password scheme isn’t the only way for organizations to adopt MFA. Plus, many websites and apps issue or implement their own second factor. As organizations develop and deploy stovepiped second factors – like Google Authenticator, SMS, FIDO’s U2F, among other options - we run the risk of overwhelming consumers with an abundance of unique second factors. When accessing accounts from multiple devices, the problem gets worse. This trend creates an exponential problem where the consumer must remember a variety of combinations: password x with second factor y here, password a with second factor b there. This could put MFA in a bind, where users don’t have access to a second factor when they need it. And RPs may not want to adopt something that adds friction to the customer experience, especially when that second factor affects authentication and authorization in ecommerce transactions. The good news Multiple factors are better than one, so we’re thrilled with market adoption over the past few years. Users have access to more options than ever. In many cases, new standards and enhancements to existing ones have made it possible for users to conduct any of the three factors in MFA from a mobile device. In addition, the market for consumer authentication devices continues to grow, allowing RPs to let users bring the second factor of their choice rather than bear the expense of its issuance and management. RPs can also choose identity federation to onboard more consumers to their services. Federation allows organizations with identity management expertise, and more importantly, access to a large market of existing users, to save RPs the cost and operational burden of identity management by providing them with identity proofing and credential management services. In the end, RPs choosing federation services or letting users bring their own second factor can reduce costs, improve user experience, and enhance security and privacy. How’s NIST working on this? For government, the updates in Special Publication (SP) 800-63-3 align with private sector innovation and best practices. Draft SP 800-63-3 recommends MFA for all assurance levels. To facilitate MFA ubiquity, draft SP 800-63-3 encourages market growth, with greater support for mobile devices, new options for the use of biometric authentication, and binding recommendations for RPs that want consumers to feel free to bring their own credential. Making MFA the norm means players in the ecosystem need to collaborate, innovate, and, in some cases, push the envelope beyond current business practices to cutting-edge service delivery – with a focus on user-friendly solutions. With increasing support for user choice and federation, we are on our way to ensuring that consumers can access their many accounts more conveniently and more securely. Twitter: @NSTICnpo
We’ve dedicated this month to talking about MFA. For more information, check out our back to basics approach to MFA and our coffee chat with Michael Kaiser, the Executive Director of the National Cyber Security Alliance (NCSA).


Add new comment

Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.