Reading Time: 6 minutes
Multi-factor authentication is now a permanent part of life. Unfortunately, it is implemented in so many different—and not always secure—ways that it can require a lot of tools to manage. I had done pretty well until recently by relying on Duo’s products. They have a really nice free MFA (or 2FA) authentication option that allows you to manage your devices. They also provided a WordPress plugin but it’s had low adoption and I began to worry for its future. Also, as I’m running Wordfence, a security plugin for my website that has MFA as well, I decided to simplify my options my dropping Duo on my site. At the same time, I thought I would move to one of the mainstream authenticator apps likes Microsoft’s. It was a bumpier transition than I expected.
I wasn’t actually looking for a change in MFA options. But Wordfence does a good job of monitoring when your plugins were last updated. This can be confusing for WordPress site managers. You can have a plugin that does not appear to need to be updated and think that it is up to date. That’s wrong. A plugin can stop updating because no one is maintaining it any longer. I was working on a site recently that had about 30 plugins running and five or six had not been updated for years. Each one of those becomes a potential security risk. You won’t get an error though unless they stop working. Or are using a security app to let you know that you might have a plugin that isn’t being updated any longer.
Wordfence flagged the Duo Two Factor Authentication app, which you can still find in the WordPress plugins store. It is probably okay but I tend to be averse to putting “probably” adjacent to a security function. Duo has a new plugin that seems to enhance the original plugin, but it has had low uptake and I worry that the entire set of plugins might be ditched in the future. I have to say, though, that Duo has been incredibly reliable for many years for me. But I’m not a paying customer nor do I think WordPress sites are in their target audience.
As I am wont, one investigation led to another. The change in my website to Wordfence MFA from Duo was easy enough:
- disable MFA on the Duo plugin
- uninstall the Duo plugin
- activate the MFA on Wordfence
- set up my user account with MFA
and the boulder started rolling. The Duo Mobile app didn’t like the Wordfence QR code presented to set up the new MFA. This is not common but it’s also not a surprise. Fortunately, Wordfence provides a text-based code that you can type into an authenticator app and I was able to get started.
It was enough, though, to make me wonder whether the Duo Mobile app may need a second look. I would normally lean on either the Microsoft or Google MFA apps. I like that they sync a backup of the MFA information to your cloud account, just in case. There are loads of other MFA apps and people have their preferences. But, like I do with WordPress plugins, I worry about companies I know less about. Authy is an MFA app powered by Twilio that I’ve seen touted but it recently had a security issue. (Also, I am not impressed by testimonials from 2016) So I tend to stick with the most visible developers.
In the end, I decided to move to the Microsoft Authenticator and not just have dribs and drabs of my MFA experience scattered over too many apps and accounts. But I quickly ran into a road block and am now betwixt and between.
Standards But Only Ours
One of the nice things about multi-factor authentication is that it is an open standard. So anyone who wants to create an MFA app or experience can do so. As a consumer, it is up to you to sort through which ones you rely on to do it well and to adhere not only to the standard but to best practices.
It’s one reason I get frustrated with sites that still do MFA using text messages (SMS). We know that SIM swapping and other exploits can cause those one time passwords (OTP) to be intercepted. Or you receive your SMS code generated by someone else and they then call you and ask you to “confirm” it. (You should never, ever, give anyone a password or PIN or OTP. Ever.)
When I started in San Diego, I began to learn how interwoven our law library-as-local public agency was with the county government. While we are not a county agency, we had some dependencies: they were our landlord, they managed some of our invested cash. And it was this latter item that meant I needed to have a County account (to Microsoft 365) because their financial process generated monthly bank statements. These were auto-loaded into a SharePoint site. The only way to get these statements was to log in to the County’s Microsoft site and download them.
Easy enough. Ask County IT for an account. No problem, let’s just set up your MFA. Using Akamai.
Let me be clear: I don’t have an opinion about Akamai, good or bad. It seems to be fine. I do have a concern about people putting all their eggs in one basket. Like we all experienced recently with the Crowdstrike debacle.
The problem I have with this setup is that I have to have an app for a single account. I could, in theory, move all of my other MFA tokens over to the Akamai MFA app from (at the time) my Duo Mobile app. But why should I have to? Why can’t I just use my own authenticator app?
I think that one reason is that large organizations prefer to use a single security provider. Like Crowdstrike. Or Okta, who also had a security incident that related to their MFA and codes being socially engineered from IT staff. A colleague I know works for a company that only uses Okta for authentication. And, frankly, what I was doing with Duo Mobile and the Duo login to my website was similar. The choice to go with Duo at the top meant that everything else revolved around Duo. If I had employees or other people accessing my site, they may have needed to use Duo too.
I added Akamai to the apps on the phone and I use it once a month to get my code to get into that SharePoint site. It seems dumb to have an app to do just one thing. Up until recently, I used Duo for everything else. Then I started to migrate to Microsoft Authenticator. As I moved, except for that hitch with the Wordfence QR code which also wasn’t recognized on the Microsoft app (and suggests Wordfence’s MFA implementation is off), everything was smooth.
There was an added benefit to doing this. First, it meant that I was making a current list of the MFA accounts I was using. Some of my older accounts I no longer used (or had deleted) and I still had the ability to create MFA codes for them. Also, as I disabled and re-enabled MFA on each account for the new app, I had to download or copy backup codes. This meant that I was more confident that I had them all in one place and hadn’t missed an account.
Peachy. Then I had to get a new account created. And as I set up the MFA, I realized they used a singular MFA app.
And it was Duo!
Out of the Frying Pan
Now I have three MFA apps. Akamai, Duo, and Microsoft. As Lando Calrissian said: “This deal is getting worse all the time!” I am especially annoyed that two of those apps contain one MFA account each.
Ironically, it actually makes the apps more usable when they only have one account on them. One thing I noticed on Duo and again am experiencing on Microsoft is that authenticator apps are really poorly designed. I use password managers—and EVERYONE should use a password manager or equivalent—and they have all sorts of organizational features. Sure, I can search for a password but I can create folders. I can create vaults on some systems that I can then share with others.
MFA apps are just flat lists. You can usually reorder the list but as MFA grows, I am now starting to have almost as many MFA entries as I do passwords to manage. I would love it if any of these authenticator apps offered the ability to folderize the contents. It took me awhile but I am finally resigned to the need to just run a search each time for the MFA account I’m looking for. It’s better than nothing but it’s not ideal. If I don’t find it on a search, I need to browse an unordered list of 60+ accounts to find whatever I called it.
So what to do? Fortunately, I am only halfway through my move off of Duo and so it would be easy enough to move back. I take it a bit slow when I am switching on and off an MFA profile because, unlike with a “forgot password”, losing MFA control can mean losing an account. If you use MFA on faceless sites like Meta or X, and your only recourse is their technical support, you might as well create a new account. I’ve been converting accounts in batches, as time allows.
This singular approach though, where organizations constrain the MFA app in order to ensure end-to-end control of the MFA process, is unfortunate. I am sure I am not the only person who has this problem. It reflects a lack of consideration on the part of IT staff for managing security in a way that is both secure and open. They are committing to singular vendors for reasons that don’t make sense to me. I totally understand that security is important but, for example, I use Login.gov, a US government identity control service, and I can use whatever authenticator I want. If the government can do it ….
So I am not quite back to square one but close. I like the way Wordfence handles the issue. They give you a QR code to scan into your MFA app. It should work. If it doesn’t, you have a code you can try manually. If security teams are going to be captured by vendors, the least they could do is provide that same sort of flexibility for the end user.
Otherwise I think you generate unnecessary friction. Which app has which MFA generator? Maybe I’m just better off without MFA or I will use a less secure MFA option, like SMS, to avoid having a bunch of one-off apps. I think the better solution would be to recommend a couple of MFA authentication endpoints (apps) and update those recommendations as the market changes and some of them are improved or exploited.