MFA done properly!

In today’s world, MFA makes web applications secure, but depending on the internal implementation, MFA might not be secure. I have few recommendations for a more secure solution.

  1. MFA should be for one time use, no parallel logins. I like the way Microsoft implemented MFA. Shows a unique code on screen, Authenticator receives a push notification with the code. If the code matches, users can approve.
  2. Mobile / Desktop operating systems should allow unlock only via biometrics option. If needed pin on reboot to access encrypted biometric data but doesn’t unlock. Then biometrics for unlocking.
  3. Any background running applications should not have access to clipboard.
  4. If possible some extended copy — special menu item should be shown, allowing to select the target application to paste, and some on screen icon to clear clipboard after pasting. If possible both desktop and mobile operating systems should implement this.
  5. Password management softwares, should have the option of never showing the password anywhere on any screen.
  6. Password management softwares should be configurable to allow usage only with biometric authentication and or only if the user unlocked the mobile using biometrics.
  7. Authenticator application providers should allow the application to be run only one device and log out the rest. Moreover, just like suggestion for password management softwares in suggestion 6, biometric unlock should be used. Some web page showing past logins / list of push notifications should be displayed at least for few months.
  8. In other words, instead of entering numbers for MFA, unique codes with Authentication application push notifications should be used and seems more secure.

I know and understand that cyber crime is on the rise, a lot of money is being scammed. Operating system companies, mobile companies, financial institutions can together come up with a framework to reduce cybercrime.

Founder of ALight Technology And Services Limited, victim of some R&AW identity theft coverup. Warning others of R&AW / spies manipulation and tricks!