When I tell people I work on authentication software, I nearly always hear some version of the same story: I hate multifactor authentication. No, really. People hate this stuff.
So I spend a lot of time thinking about how we can make MFA a better user experience. We don't always need MFA to be airtight, after all. Sometimes, the Google match-a-number MFA flow is good enough.
I thought I'd share here my best ideas for the future of multi-factor authentication. Here they are.
The big blind
We like entropy in auth factors, so it's intuitive to start with a familiar example of randomness: playing cards. For example, Wikipedia says there are about 2.5 million unique poker hands.
That makes poker hands a compelling secondary authentication factor. Here's what a simple version of the UI could look like: challenge the user to pick exactly five cards from a set of 52.
It's incredibly easy to remember your hand. Just ask any of your friends that play poker -- they can surely remember a bad beat. And it's pretty much impossible for an attacker to guess.
Cubes
This one's a bit tougher than poker, but it's much less risky. (I'm not sure how comfortable I am with just 2.5M possibilities). Instead of having the user pick 5 cards from a deck of 52, we have the user scramble a digital Rubik's cube.
Then, when the user logs back in, they just have to scramble the cube in exactly the same way. Easy. Here's what it'd look like:
... continue reading