Multi-factor Authentication implementations – my experiences

Many organizations are implementing multi-factor authentication, or rather a two factor authentication (2FA). This, in principle, is a good idea. It protects your personal and confidential information stored with government agencies and businesses from malicious actors. It checks multiple things: something you know, usually your password; something you have, usually a verification code they send you; or something you are, e.g. a biometric identification such as your fingerprint or iris scan.

Most verification codes are sent via SMS text messages. This creates a problem. When you are travelling overseas, your carrier may not have a signal there, or international roaming charges may be too high. So you may put your smartphone in an airplane mode, or purchase a local sim card. Now you cannot receive the verification code via SMS. I recently ran into these difficulties while travelling overseas.

I am describing my observations of some Canadian 2FA implementations - some good, some not so good.

A Canadian government agency: I was expecting a communication from them. I asked them how I could access their website while abroad. They advised me that I could optionally download a 5 X 5 grid, with each cell A1 through E5 having three random characters, e.g. AFY, KXW etc. On login, you are asked to correctly enter the contents of specific three cells, say B4, C2 and E3. I was able to use this option successfully. I believe they have not publicized this option well. I was only informed when I asked.

They let you download a pdf file with the grid. Someone who gets access to your device could access the grid. Basic pdf readers do not allow you to set passwords on pdf files, only professional versions do. I worked around this by importing the file into MS Word, password protecting the file, and deleting the pdf file from the folder and the recycle bin.

An online bank: While away, I tried to login into my banking account. Normally they do not send a verification code, but ironically, they sent one because I was in a foreign country. I chatted online with an agent, who said I had to phone their customer service and there was no collect call number (this later turned out to be wrong). Or they could escalate and someone would respond in two business days!

Fortunately I had an app that allowed me to call from overseas cheaply. I called their customer service. I only needed to know if a deposit I was expecting had been made, and it was. But I could not receive the code. I was told I could opt for an email notification - not on mass platforms such as Gmail or Hotmail (as other organizations do), but only on secure platforms or work email addresses. I don’t understand this policy. On my return, I discussed at length with a manager. As indicated by him, they have now removed the email notification option, and have implemented a push notification, sending a code directly to your device, not via a text message - an interesting idea. However, this would fail in scenarios where your device is lost, stolen or broken.

A big-5 Canadian Bank: In 2019, I could not access my brokerage account while abroad, as I was using a local number. To change the phone number on my profile I had to login, and for that I needed the verification code. A Catch-22 situation. I had to call their customer service number. After a long conversation, an agent was able to help me. I don’t remember the exact steps.

A number of other organizations: They either send verification codes via email, or by both email and text message, or give you a choice. Kudos to them. (There is a small probability that your email password may have been compromised).

A bank that issues credit cards: Recently I phoned about a duplicate credit card transaction – same date, same amount, same merchant. After they verified my identity with the usual questions, they still sent me a security code and asked me to read it out. Why would someone impersonating me try to credit my account beats me. A case of security gone overboard!

To summarize:

1. Organizations need to consider all scenarios requiring individuals to enter verification codes, and provide alternatives when it would be difficult or impossible for them to receive the codes.
2. They should provide an option of sending the codes by email, which can be accessed from many devices. Push notifications fail to reach the users when the device is lost, stolen or broken. SMS messages fail to reach the users when they have no signal or have changed their sim card.
3. The requirements should not be onerous. Like signing up for an email account that you would never use otherwise. You will likely forget its password if you only use it once every few months.
4. The use cases where someone is asked for 2FA should be analyzed based on risk. No need to take up the service agent’s time and the customer’s time in low risk situations.