Users hate MFA

In case you have been living under a rock, MFA stands for multi-factor authentication and if you don’t have it yet, well, shame on you.

A few years ago, I went to a party thrown by the CEO of one of our customers. Opportunity to mingle! But first things first. As soon as I had gotten my tasty adult beverage, I set out to cover the floor like a veritable Roomba.

– Hi. I’m Thomas.
– I’m Patricia. Who are you with?
– I’m with OneLogin.
– I hate OneLogin!

This is not the response I usually get when I tell people where I work. The most common reaction is that people love OneLogin because they don’t have to sign into apps manually. Naturally, I was keen to find out more. Once I had swallowed my pride.

– Oh, really? Why is that?
– Because I have to use MFA every time I sign in!

I have always said that if you asked a group of engineers to build the world’s most secure app, it would also be the world’s least user-friendly app. Meaning, if all you optimize for is security, it’s bound to get in the way of end-users doing their job.

The best security solutions are completely invisible to end-users. The less you bother them, the better. Start putting up obstacles and they will figure out creative ways of working around the security. Check out this brilliant setup below where a user configured a webcam to show their RSA SecurID token so they didn’t have to carry it on them.

When companies started mandating that users carry a physical one-time password token, creative juices started flowing.

Back to Patricia. There is nothing like spending face time with end-users and her visceral reaction was an epiphany for me. It turned out that Patricia worked from home several days a week and her company had configured OneLogin to always ask for MFA when users were not on the corporate network. This was obviously tremendously annoying.

About six months earlier, I had met the founder of ThisData, which was a real-time risk engine for authentication. I reached out to Rich and asked for a meeting and it wasn’t long before we were both convinced that ThisData and OneLogin should join forces.

Today, ThisData is part of what we call Adaptive Authentication, which tracks a user’s movement across devices and locations. MFA is great for protecting against password theft, but it’s even better if you only ask for an additional authentication factor when you absolutely have to.

Adaptive Authentication will learn to trust Patricia’s home IP address over time and only ask ask for her one-time password (or send her a push notification) when it detects something unusual, such as unusual travel patterns or a suspicious IP address.

It’s a win-win for Patricia and for the security team.