Auth & identity
January 31, 2023
Author: Stytch Team
Since 2017, hackers have stolen 555 million passwords on the web. As a result, most security professionals consider passwords to be “pre-breached” when designing identity and access management for their applications – when you onboard a user, you have to presume that the password they’re using is either already compromised or likely to become implicated in a future data breach (after all, 45% of US companies suffered a data breach in 2021 and this figure continues to rise).
In today’s digital landscape where we have to assume that a user’s password is or will soon become compromised, multi-factor authentication (MFA) is a necessity for protecting against account takeovers and fraud. However, as an engineer, it can be challenging to determine which MFA options for your application strike the right balance between security and user adoption. Effective MFA adoption is dependent upon consumer access and usability, which is why we continue to see the popularity of less secure options like SMS passcodes far outpace phishing-resistant options like hardware keys or device-tied biometrics. In this post, we’ll take a closer look at the different MFA options available, their relative security, and how to increase user adoption.
To ground this discussion in real-world data, we’ll draw upon Coinbase’s recent “Authentication Matters” article which shines a light on MFA types and the associated account takeover fraud. In this article, Coinbase provides detailed statistics on the cryptocurrency exchange’s customer adoption rates of different MFA options and the associated account takeover rates. It’s rare and commendable for a company to offer this level of transparency, and we believe that this data can be valuable for other engineers considering which MFA options to support and how to promote user adoption to prevent account takeover.
Coinbase’s data provides a great case study on both MFA adoption and security. Coinbase stores cryptocurrency on its exchange, which makes it a uniquely valuable account for hackers to target due to both the monetization potential and the irreversibility of cryptocurrency transactions on-chain. In other words, a hacker can make a lot of money off of a stolen Coinbase account.
As a result, Coinbase requires all users to have MFA, but they provide multiple options:
And their experience with both adoption and account takeover fraud rates illustrates the relative benefits and drawbacks of these various methods. For example, Coinbase discovered that their most popular 2FA option with users (SMS passcodes) is also the least secure – 95% of users opt for SMS, but this also accounts for 95% of successful account takeover attacks.
A particular MFA type’s user adoption rate being correlated with account takeover rate isn’t surprising in a vacuum, but it is more of an indictment of SMS 2FA when you consider Coinbase’s attack surface and hackers’ incentives. The majority of customers’ funds on Coinbase (57%) is held in accounts that are protected by a 2FA option other than SMS (either TOTP, push notification, or a physical security key). From a hacker’s perspective, they are most incentivized to target user accounts that hold larger amounts of crypto if the effort to attack those accounts is similar.
However, these larger accounts are seldom stolen by attackers because of the increased effort involved in breaking the MFA types that these customers use. Coinbase found that for these accounts using advanced MFA (TOTP, push notification, or security keys), only 5% of all account takeovers were successfully executed against these users. And of these rarer account thefts, 86% are concentrated on TOTP and push notification MFA, which unlike security keys, are not “phishing-resistant.”
Despite most Coinbase customer funds being protected by advanced MFA, only 5% of those accounts are stolen due to the increased effort involved in attackers’ trying to break those MFA methods. Meanwhile, SMS 2FA protects only 43% of Coinbase customer funds but comprises nearly all (95%) of account takeovers.
When it comes to MFA options, there are several available, each with its own set of advantages and disadvantages. Every application is different, but most should be offering multiple MFA options to promote both maximum adoption and advanced security options.
When considering which options to offer, here’s some important considerations for each MFA method:
In conclusion, choosing the right MFA options for your application requires a balance between security and user adoption. By understanding the relative security and adoption rates of different MFA options, engineers can make informed decisions that protect their users while also ensuring maximum adoption. By studying examples like Coinbase, engineers can gain valuable insights into the effectiveness and uptake of different MFA options. While some MFA options are superior when it comes to security, the theoretical security model of any particular MFA method is useless if users find it too friction-heavy to enroll in that MFA option.
The pragmatic path typically involves offering multiple MFA options to your user base and explaining the security benefits of enrolling in more advanced and phishing-resistant MFA. At Stytch, we’re particularly excited about the promise of new authentication technologies like passkeys, which provide many of the usability benefits of conventional MFA like SMS 2FA while also providing the security benefits of physical security keys like YubiKey.
With multi-factor authentication from Stytch, you’ll get the security protection your application needs, to prevent account takeovers, with a UX that will delight your users. Stytch offers a suite of MFA solutions that offer maximum flexibility and security while maintaining a great customer experience. Check out our products, explore our Docs or talk to an auth expert today!