Report reveals one-dimensional support for two-factor authentication

Online services have several options as they move beyond passwords to try and make accounts more secure. Think of five websites that you have a user account for. How many of them offer you greater security with multi- or two-factor authentication (MFA or 2FA)?

The move to support 2FA is happening, slowly, but a report released this week suggests that many sites are lagging behind.

Password management company Dashlane examined 34 of the more popular consumer websites in the US to see how well they supported MFA.

It scored each site out of five, based on several criteria.

They got one point if they offered SMS or email authentication. They got another for using software tokens like Google Authenticator. Dashlane clearly considers hardware-based authentication superior though, as it awarded three points for websites that offered this option. These are hardware-based cards or keys like Yubikey or Google’s Titan that must be plugged into the computer or held next to it to authenticate the user. The FIDO Alliance’s Universal Second Factor (U2F) authentication is a good example of a standard that supports hardware tokens for accessing online services.

The good news is that most of the sites tested offered some form of 2FA. On the naughty list with no points were private neighbourhood social network NextDoor, gig economy company TaskRabbit, online medical care appointment booking service ZocDoc, and retailer Best Buy. They offered none of the three categories of 2FA, forcing users to rely on passwords alone.

Only about one quarter of the sites tested (24%) scored full marks by offering the full range of options, according to Dashlane. Bank of America, Dropbox, E*TRADE, Facebook, Google, Stripe, Twitter, and Wells Fargo scored five points each and were on the nice list.

Quite a few of the performers that fell somewhere in the middle are from the fintech or financial services side. Mint, which aggregates your financial account data, electronic payment company Venmo, and financial services players Discover, Citibank, Chase and American Express all relied solely on email or SMS-based authentication, the report said. Yet NIST deprecated support for SMS-based 2FA in 2016, and users who rely on email-based 2FA are vulnerable to phishing.

Dashlane also said that clarity was an issue in many websites. CEO Emmanuel Schalit said:

Through the course of our research we found that information on 2FA is often presented in a way that is unclear, making it difficult for consumers to confirm 2FA offerings. In fact, our researchers were forced to omit a large number of popular websites from our testing simply because the sites don’t provide any straightforward or easily accessible information about their 2FA offerings.

The Dashlane report focused on desktop browsers only, and didn’t include access via mobile apps in its assessment.

As patchy as support for 2FA may be, it’s only half the story. As recent research by Google and others has revealed, most of us don’t use 2FA even when it is available.