We’ve all been there – typing in our password, then having to dig for the phone and enter the string of digits texted to our account before we can log in to something. It’s not hard to think that multifactor authentication – because it adds an extra step in the process of accessing certain websites, products, or services – would automatically impact workplace productivity at some level.
There is a significant lack of hard data about just how much using multifactor authentication hinders productivity for end users. In our reporting, we found one usability study from a team at Brigham Young University that looked at five two-factor authentication methods and how testers adapted to setting up and using those various options for multifactor authentication. More on that report later.
At the most basic level though, because it requires an extra step after entering a username and password, using multifactor authentication does add a small amount of time to that process. However, the security tradeoffs may ultimately be a bigger workplace productivity saver.
A Quick Primer on Authentication Factors
Before we dive further into multifactor authentication, let’s review the key factors that can help with authenticating user access to data:
- Knowledge: This is something known, such as a username plus a password or PIN.
- Possession: This is something the user has in their possession, such as a smartphone or a security key. The user must have that device in their possession to receive a validation code, which is sent when the user uses the knowledge factors (username, password, or PIN). This validates that it was the user who entered that data to access the corresponding system.
- Inherence: This factor uses something unique to the user to validate when users provide knowledge-based factors to accessing a site. Biometrics – which use fingerprint, facial, or voice recognition – are examples of this factor.
Some systems also use location and behavior factors to validate user access based on a specified location they are accessing the system from or through a behavior such as drawing a pattern on a lock screen which has a grid of dots laid out.
Any attempt to gain illicit access to a product or service is hindered because of the additional factors used to protect the knowledge-based factors of a username and password.
What Is the Difference Between Multifactor Authentication and Two-Factor Authentication?
Often, these two terms are used interchangeably but there are differences between them that users should be aware of in order to correctly refer to what type of authentication method they are actually using and to prevent any confusion.
This method of authentication begins with a knowledge-based element. Then a second factor of authentication is required to validate the user’s identity. In most cases this is the possession factor such as a smartphone to receive a random code for validation or using an app to generate these codes on the phone itself. This extra factor is set up on the product or service website, or system administrators enforce the use of additional authentication factors via tenant policies and settings.
In this scenario an inherence factor is added to the authentication process – this factor is defined as “something you are,” like your fingerprint or face. For example, in order to approve access to a system using an authenticator app which is validating the use of knowledge-based factors, a biometric element like a fingerprint is used to grant final permission for system access or to access the generated code.
Any smartphone that has biometrics included on the device can use the inherence factor as an option to add the extra level of security to the authentication process. Many security keys in the market today have incorporated fingerprint readers to add this inherence factor to that process as well by default.
So, while two-factor authentication does use multiple factors (knowledge and possession), it is not multifactor authentication. That requires the addition of an inherence factor or additional factor such as location or behavior if used by a product or service.
Is There Any Productivity Hit When Using Multifactor Authentication?
Back to that study mentioned a few paragraphs back – a team at Brigham Young University studied five multifactor authentication methods and how users adapted to them. This study tracked the user experience in setting up the authentication method and accessing a test banking site daily. The researchers observed 72 users in total over a two-week period.
To summarize the findings – nearly 30% of the participants indicated the additional security was worth the extra time in the login process, while 13% stated that they would not be willing to use an additional step of authentication because the inconvenience was too high. While these stats are limited to one use case scenario, they do illustrate that more end users think the measures meant to thwart malicious actors are worth the bother.