I designed some more user-friendly methods for multi-factor authentication.
When I tell people I work on authentication software, I nearly always hear some version of the same story: I hate multifactor authentication. No, really. People hate this stuff.
So I spend a lot of time thinking about how we can make MFA a better user experience. We don't always need MFA to be airtight, after all. Sometimes, the Google match-a-number MFA flow is good enough.
I thought I'd share here my best ideas for the future of multi-factor authentication. Here they are.
The big blind
We like entropy in auth factors, so it's intuitive to start with a familiar example of randomness: playing cards. For example, Wikipedia says there are about 2.5 million unique poker hands.
That makes poker hands a compelling secondary authentication factor. Here's what a simple version of the UI could look like: challenge the user to pick exactly five cards from a set of 52.
It's incredibly easy to remember your hand. Just ask any of your friends that play poker -- they can surely remember a bad beat. And it's pretty much impossible for an attacker to guess.
Cubes
This one's a bit tougher than poker, but it's much less risky. (I'm not sure how comfortable I am with just 2.5M possibilities). Instead of having the user pick 5 cards from a deck of 52, we have the user scramble a digital Rubik's cube.
Then, when the user logs back in, they just have to scramble the cube in exactly the same way. Easy. Here's what it'd look like:
We can rest easy knowing that there are roughly 4.3 x 10^19 possible configurations of the cube.
The Shannon number
If we're looking for even more entropy in our auth factors, we could use chess games as an option. It's been estimated that there are 10^120 possible chess matches. That's a nice big number.
Imagine this: when you set up your account, you play out a chess match. When you log back in, you play out the exact same chess match. It's like a second password! There's no chance anyone would ever guess your chess match correctly.
It's clean and intuitive. Hard to beat. Plus it'll boost your chess skill.
Mavis Beacon teaches auth
Everyone types a little differently. We can exploit our unique typing tendencies as an auth factor. There's a simple version of this that relies solely on approximate words-per-minute (WPM), as shown below.
If you want access to your account, all you have to do is reliably reproduce the same typing speed!
Fingerprints without the hardware
Biometric factors like fingerprints are perfect -- except for the fact that they generally require fancy hardware. How does a normal web app take a fingerprint as an input?
Well, I just don't think it's necessary. You can simply present the user with a fingerprint and ask whether it's a match!
All the benefit, none of the fuss.
Airgapped TOTPs
Everyone still seems to use SMS-based MFA, but we all know by now that SMS opens vulnerability to SIM-swapping attacks.
How do we retain the user-friendly experience of SMS MFA while protecting ourselves from its vulnerabilities? I think I have a solution. We never put our passcodes over the air. Instead, we print them onto sheets of 8.5" x 11" paper and route them through a trusted Postal Service.
Maximum security.
Privacy first
Many of us would like to use photographs as an auth factor. We often require photographs as part of onboarding for certain sensitive applications (e.g., banking, ridesharing).
But users really don't like submitting photographs. It can feel a bit invasive. Plus, privacy considerations aside, it's just inconvenient and puts an annoying speedbump between the user and successful use of the software.
Good news: we don't need to grab a photo of the user. With today's multi-modal AI, we can simply infer identities from self-portrait.
With self-portraits, we get two distinct vectors of comparison: first, we can evaluate the portrait for its similarity to the user's real appearance; second, we can evaluate the portrait for the user's skill level.
That stuff is hard to fake!
Of me I sing
Biometric auth based on users' voices used to be reliable, but now it's too easy to spoof with AI tools. But AI still has a tough time singing as poorly as normal people do -- that's why Karaoke Auth is the future.
The user just has to pick a song and belt it out. For anyone thinking of implementing karaoke-based auth, I will caution you: it is critical to require the user to finish the entire song. Song fragments do not generate sufficient samples to protect against fraud.
Phone a friend
We can borrow an innovation from the Web3 crowd. Instead of sending a code to your email (predictable, boring, lame), the system sends a code to a randomly-selected relative. Like an uncle!
The user just has to help their uncle access a 22-year-old Hotmail account before the passcode expires (upon expiry, the system will select a different relative at random).
ToothFA
According to Pecan Tree Family Dentistry of McKinney, TX, our teeth are as unique as our fingerprints! If you're a fan of police procedurals, you're probably acquainted with this idea.
This is just advanced biometrics with no specialized hardware needed. Anyone with a modern smartphone can quickly and easily take a real-time scan of their teeth.
No need for any of that complicated passkey nonsense. Just stick your phone in your mouth.
LLM auth
LLMs are taking over. They're writing our code, answering our phones, and responding to our tweets. They're the future of everything.
Auth is no exception. Disruption is coming. In anticipation of an LLM-native future, we've designed the world's first LLM-based auth factor. It's radically simple: to access your account, you just have to convince the AI to let you in.
There's no hard-to-remember secret. There's no secondary devices. It's just the familiar chat UI we know and trust. Future proof.
Stockfish
Oh, yeah, I have another chess-based auth factor. It's too hard for most of us to remember an entire chess opening. Instead, we can play against a chess engine and let the computer guess our skill level (as measured by ELO).
It's impossible to brute force. You really have to play the game.
Cinemauth
With just a quick OAuth grant from Letterboxd, any app can implement the Cinemauth standard.
You just challenge the user to make pairwise comparisons between a series of films. Pretty quickly, you accumulate a strict ordering. When you have a strict ordering, you ping Letterboxd for feedback: does this ordering accurately represent my user's preferences?
This is the power of identity federation at scale.
Cinemauth for Enterprise
The Cinemauth standard isn't suitable for enterprise applications. No CISO wants a bunch of consumer Letterboxd accounts governing access to their environment.
The solution is simple. We replace consumer data with enterprise data. We replace the strict ordering of movies with coworkers. There's no need to sync up with some random third-party application. You can just use the HRIS you already have!
You just need to hire a consultancy to implement a custom Workday app (roughly a $2M investment) to support Cinemauth for Enterprise. It'll also totally work properly forever. There's no chance that it'll devolve into a disastrous mess.
Just think of how elegant the UI could be:
Perfect.
Just don't show the results to the guy who heats up fish in the microwave; he might quit.
Is it ... Ethan? Jackson? Liam?
As with Cinemauth for Enterprise, this one requires an upfront investment. You need to build a database of your employees' children (ask for forgiveness, not permission).
Here's how it works: each user of the app sees a picture of a coworker's child, ideally one that's mentioned several times every week.
The user just has to correctly name the child! If they've been paying attention to their coworkers' anecdotes, this one shouldn't be tough at all.
Easy for a considerate colleague, impossible for attackers.
Closing thoughts
Creativity in authentication is usually a bad idea. There's no reason to reinvent the stuff that works. Just pick something off the shelf -- like Tesseral! It's the only open source auth designed specifically for business software.
