Issues with Multi-factor Authentication: PSA for MFA App Users

Firstly, Multi-Factor Authentication (MFA) is an absolute must.  If you are not using it on your accounts, especially Internet accessible and critical systems, you are opening yourself up to a lot of unnecessary risk. However, MFA doesn’t come  without its own challenges and this is my journey into one of them. 

My three-year-old iPhone is at the end of its useful life, so last weekend I purchased a new iPhone and began trying to set it up. Other than having to log into the extensive list of random and rarely used applications again, the advent of the iCloud backup makes the whole process relatively painless.  

Except that is… for most MFA apps. Understanding the focus on security, the difficulty setting up a new phone is likely intentional, but could be considered a flaw in design. 

MFA apps by and large use one of two types of verification factors:  

1. Some kind of push notification, usually a click-to-authorize model if the applications that support your MFA app in that manner 
2. Or, Time-based One-time Passwords (TOTP) which is a rolling six-digit codes that you must type in manually. 

Below are a few examples of the transition process with three different application. 

On my iPhone I have the Zoho OneAuth, Google Authenticator & Microsoft Authenticator applications.   

The Zoho OneAuth app uses a push notification and I only use it for a single account, which made it fairly easy to transfer. When I logged into the app it noted I was using a different device and sent a code to another email address, which to allow me to transfer the authorization to my new device.  

My Microsoft Authenticator has a handy option which stores a backup in iCloud for my nine accounts I have configured in that app. Upon restoring them on my new phone, two of them worked without further intervention. The remainder of the accounts required me to “scan the QR code provided by your organization”. Upon further investigation, the seven untransferred accounts pushed notifications to the various emails, some of which were no longer active and should have been removed.

My Google Authenticator app, however, has 18 accounts configured and no way to transfer them at all for an iPhone user. I now have to chase down all 18 accounts in addition to the seven in Microsoft authenticator, and determine the process for migrating my MFA clients. 

Takeaways

Painful maybe, but I am fortunate in this example to still have access to my previous, functioning device, allowing me to continue to use the existing MFA easily without going through the “lost my device” scenario 25 times in the meantime.The requirements for each account are often very different and can be time consuming. For example, one account requires me to submit a personal picture and my driver’s license for approval before they will activate my new iPhone. With access to my previous device, I avoid the immediate need to spend hours jumping through hoops to transfer accounts, so with that, I have two devices until everything is transferred. 

This was a planned upgrade that provided me the best-case scenario for switching MFA applications. If you happen to lose, damage, or have an inoperable phone with MFA services, good luck. 

The Sayers Identity and Access Management (IAM) practice offers extensive services, including multi-factor authentication assistance. We can help identify the best solutions for your organizational MFA needs while also assist in the implementation and management of those solutions. Speak to an IAM expert today and identify options to increase security.