I hate MFA

I hate multi-factor authentication, and I’m not the only one. I understand it’s useful to make it harder for criminals to steal your information, but even with this, I despise it. I like the idea but I hate the implementation. Here I summarise in a couple of points why I don’t like it. I wrote this as a rant, so the language used here can be NSFW.

It distracts me, a lot

I’m a slow learner and I have difficulty completely focusing on a topic. I need my full attention dedicated to my work if I want to make any substantial progress. This means that my workflow is quite binary: or I am fully focused on the thing I am working on (in this state I’m writing code) or my attention is scattered and I’m doing dozens of things at the same time (in this state I’m communicating with other colleagues). To foster these moments I remove any source of distractions from my surroundings, which means leaving my phone in plane mode in another room. So when my brain is at 200% CPU usage and I log into some service and they ask me to authenticate with my phone, my attention receives a right hook that directly knocks it out. When this happens it means that half of my morning productivity gets destroyed, so I’m sure you can understand how frustrated I feel when it happens. Come on, we’re in 2023, how it’s possible that we still have to do these things manually?

It forces me to have a smartphone

During the last few years, I’ve been experimenting with periods of disconnection from the online world. This means that I only use a banana phone and interact with the internet via my laptop during designated hours. During these time periods, I’ve experienced some problems with sites that don’t support very well SMS MFA. Also, I got charged for each SMS I received, which is not nice.

It also forces me to have the SAME smartphone. Some months ago I broke my smartphone, and after changing it I discovered that I couldn’t access my job MFA app. This meant I had to talk with the IT folks (who thanks to God are very nice. It was the only nice part of this episode) and I had to lose their time and mine recovering my access to the app.

It couples online and offline

This is the most problematic point I see with MFA. According to Okta

As the name implies, MFA blends at least two separate factors. One is typically your username and password, which is something you know. The other could be:

• Something you have. A cellphone, keycard, or USB could all verify your identity. 
• Something you are. Fingerprints, iris scans, or some other biometric data prove that you are who you say you are.

This definition is assuming a lot of things, and more importantly it is assuming that it exists a you. Maybe behind the screen there’s a group of people working on the same computer. Maybe it could be a fine-tuned LLM working for you (where do LLM have their eyes?). Maybe you don’t want to fucking share your fucking iris with no fucking one. Every day there are more options to work anonymously (eg: Noxx) so why do we need to expose our personal information for the sake of safety?

In terms of software engineering, I believe MFA commits a deathly sin against the commandment “Thou shall code against interfaces, not implementations”. In software, when designing interaction between components you should not depend on implementation details, only component interfaces. In this case it means you shouldn’t assume every “developer” has a phone, fingers, or biometric data.

It can be replaced with other solutions

Finally, it also makes me angry to think that it solves a problem that could be solved with other approaches. If it were the only solution to the cybersecurity problem, I would accept it, but we have enough solutions at our disposal to solve the same problem and I don’t understand why we are still tied to MFA.

For example, I’ve been using a password manager for the last two years, and now all my passwords have been generated automatically. This means that if you steal my password you’ll only have access to one of my accounts. I know that this is not the perfect solution, and you can still somehow discover my password, but if you’re able to steal one of my 25-characters password (which would take ~4 thousand trillion trillion years) then there’s possibly nothing I can do to stop you from stealing my eye data.