Multi-factor authentication needs to be easier to use

In the past few weeks, I have set up various online accounts and services. I want to make them as secure as possible so have enabled multi-factor authentication. Doing this has been a torturous process.

For something so fundamental to security, I was expecting easy access to the option to select the method I want to use. If you are lucky it is two clicks but expect more. The first puzzle is where to find it. Is there a ‘security’ option, or maybe it is under ‘options’ or ‘settings’. At least everything had a good help system that told me where to find it. The good news is that once you have found the right page setting it up isn’t difficult. The default for many is to use an SMS message, but there may also be options to have a call made to a phone, use an authentication app or one-time codes.

Once it is set up you may find issues. When enabled for MS Office365, setting up Outlook 2013 for Windows was not possible. I raised a support ticket with Microsoft. A very helpful Microsoft engineer called me and spent 1 hour going through various debug steps. In the end, it came down to the authentication failing as it was expecting an authorisation code, but there was nowhere to enter it. Disabling authentication, setting up Outlook and then enabling it again was the answer. The Outlook app for Android handles this, so why not the Windows version?

Is this the time to start a campaign for a multi-factor authentication standard? It does not have to be complex. For me, the basics are

  • highlight when it is not being used on the account or service, use a standard approach across all platforms. Icons or text
  • access the setup page in a standard way
  • have a standard set of options for the main and backup methods
  • allow for entry of authentication information on all platforms

If the standard were adopted by developers, more people would use it, and security would be improved. I even have an idea for promoting it; a short clip of some Daleks going AUTHENTICATE! AUTHENTICATE!  Does anyone have contacts at the BBC?