New frontiers in multifactor authentication

Could a degree of psychology prove to be an unbreakable addition to multifactor authentication?
5 April 2023

Does the future of multifactor authentication depend on psychology?

In Part 1 of this article, we spoke to Scott McKinnon, Field CISO, EMEA at VMware, about the evolution of multifactor authentication into technologies less occasionally troublesome and hackable than SMS.

Scott explained that the principle of multifactor authentication was probably sound for a while, but that by using additional or different factors to generate the second-stage authentication, we could potentially steal a march on bad actors who are becoming more adept at getting around the SMS authenticator.

Given that Twitter had started a larger debate around multifactor authentication by announcing its plan to use it as a way of monetizing the platform into different levels of membership, while we had him in the chair, we asked Scott about the potential rationale – and viability – of such a scheme.

Added vulnerability or extra security?

Does the idea of offering multifactor authentication to only verified, fee-paying Twitter Blue members not make non-subscribers actively more vulnerable to attack? Or is there some business logic to it?

Obviously, I can’t speak to the business model of Twitter. But from what I’ve seen, they offer multifactor authentication through SMS, through authenticator apps, and through other hardware as well. And interestingly, what they’ve said is that they have concerns over the security of the SMS channel, and that that’s what they’re looking to remove.

In a general sense, being able to have more robust identity verification services is a good thing. But as to why they chose to select a particular part of their user base for that? That’s open to speculation, I think. But as I say, the thing I would underline is that better security makes for a more attractive platform.

And then of course, it can, at least ostensibly, be sold as part of this growing awareness that multifactor authentication by SMS is not as secure as perhaps it’s been believed to be.

Exactly. Actually, that’s a brilliant point. Maybe it does cause those users to reflect on how they are actually authenticating and verifying their identity to the service.

A journey of trust.

You’ve said that there are third-party authentication apps. Why would users who have grown prodigiously used to the idea and practice of multifactor authentication through SMS necessarily trust such apps? Is there not a trust journey that has to be gone through?

Yes, I think you’re right. But I’d say if these apps are focused and dedicated on a particular task (which is identity verification), it’s not just a small part of a social media organization’s operations to authenticate and validate the user. First of all, if they’re using these apps, they’ve got a focus on thinking about and thinking deeply about how to do this identity verification. The second point is that these applications are often based on open source tooling.

And when things are based on open source tooling, it means there are lots of different minds contributing to how these underlying tools are created. So you’ve got lots of different eyes from different places looking at these apps as they’re progressing, and it’s a bit like with encryption algorithms as well – they used to be kept secret so that nobody would know exactly how they worked, and now it’s been decided that it’s much better to have these encryption algorithms generated in the public domain, so that lots of researchers can look at them, discover abilities and suggest improvements.

So I think you’ve got the benefit from the open source creation. And, related to that, these applications will often be based upon standards. And there’s a certain bar that needs to be met for a standard to be adopted.

Intense visibility.

Lots of different eyes from different parts of the community look at these apps, so while of course, nothing is perfect, I think that increased level of scrutiny gives confidence to users that these applications are robust and trustworthy.

Hmm. Of course, with open source –

Both the attackers and the defenders can see what’s happening, yes, so it feeds into that arms race.

But at the same time, if there is a compromise on it, the defenders can respond and it can happen quite quickly because of the open source community. So yeah, I think those are the three things that I would say:

  1. You know the apps are dedicated for a particular function.
  2. They’re based on open source and they follow standards, and
  3. The open source community can respond rapidly to fix any points of vulnerability or compromise.


Great – that clarifies the reasons why people should trust these apps. But is there still a journey of education to go through, as most people have grown used to what they know, which is multifactor authentication usually by SMS?

I think so, yeah. Things change constantly, and obviously the rate at which they change is increasing. So you can’t really expect to stay still in the sense of how you protect people. At the beginning, when remote access systems first came out, all you needed to know was the telephone number of the server. If you knew that, you could connect. Then somebody thought “Well, hang on a minute, maybe we should put a username on here.”

Then obviously we moved to a password, so it is on this journey, and I think that as technology becomes increasingly part of citizens’ lives that you need to expect that things change.

The pace of change.

I’m just thinking about cars as well. I just drove my car, which isn’t all that new. Every time you’re on the motorway in a modern car and a car pulls out  in front of you, red lights come on to warn you. My Saab 93 doesn’t do that. But now we’d expect it in fresh models.

As people, we adjust all the time to the fact that there are changes happening, and those changes are there for safety reasons and ultimately, cybersecurity is about keeping people safe. So people are well-adjusted to that concept.


Fair. In which case, how long do we think it’ll be before the hackers catch up with third-party authenticators?


Well, as we’ve said, the arms race is constant, isn’t it? As soon as there’s a new method of protecting a user, some people are going to try and understand and decompose that and look for weaknesses in the system. And if they find a weakness, a vulnerability, and it can be exploited, then it needs to be changed. I think we can expect more of that with these mega-trends of technology like AI.

That’s coming in and in fact, maybe, thinking back about some of these multifactor authentication challenges, we may also start to see the beginnings of behavioral-based multifactor authentication. Tools that can actually recognize the way in which you enter credentials, and not just the credentials themselves.

But I think with the ability to collect information, analyze information and then draw insights from that, which is a general trend, that’s probably going to increase the pace of the arms race that we’re talking about.

The human factor.

The job of the defenders is to try to keep up with what’s happening and then learn exactly how compromises occur. That gives us information about how we can defend. So one part of the job is continuing this open disclosure about what happens. No victim shaming, no recriminations for people who are ultimately the victims here.

That gets overlooked in the focus on the tech sometimes, doesn’t it?

Yeah. Ultimately, if there’s a hack of the authentication process, it should be viewed as a failure of the technology and the process, not a reason to blame the individual.

So it’s all about what technology is deployed, what processes are in place, and how we can improve them, which is why it’s interesting that more people with psychology backgrounds are coming into cybersecurity, because they have that kind of human understanding about how we behave.

Then we can really help to improve everything from cyber-awareness programs to the technology itself.

Scott McKinnon

Scott McKinnon, Field CISO, EMEA, VMware.