Comment 8: Better Safe Than Sorry or Why MFA Isn’t So Bad

The ABA Rules of Professional Conduct, Model Rule 1.1 Comment 8 requires, “To maintain the requisite knowledge and skill, a lawyer shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” To that end, we have developed this regular series to develop the competence and skills necessary to responsibly choose and use the best technologies for your educational and professional lives. If you have any questions, concerns, or topics you would like to see discussed, please reach out to e.koltonski@csuohio.edu.

 

More and more organizations are choosing to enable Multi-Factor Authentication (MFA) to better protect accounts for their employees and customers. Why? Because the instances of cyber-attacks continue to grow daily. Recently, Cleveland State joined that trend by making MFA mandatory. The response has been mixed: some people are okay with the change while others have been annoyed. Neither stance is mutually exclusive. For example, you can embrace change and still be annoyed. More changes to the security posture of organizations are guaranteed in the future, so I thought today would be a good time to discuss why a little inconvenience for us is beneficial.

While talking about MFA the other day I equated it to the front door of our homes. Specifically, how many locks we have. Most outside doors have two locks. Some security-mined people may add an extra deadbolt. Beyond that you may have purchased an alarm system. Maybe even added bars to your windows. The truth of the matter is that, given enough resources and determination, a burglar will get into your house. It’s inevitable. What we’re doing by hardening our domiciles is making it more difficult for the burglar to get in. Some call this approach “deterrence” or “friction”. While our homes are being made more secure, we’re also inconveniencing ourselves: there are extra locks to undo, maybe extra keys to carry, and we must arm and disarm the alarm system every time we come and go. What a pain!

Adding MFA to your accounts is the exact same thing: we are creating friction so that would-be attackers will have a harder time taking over our accounts or intruding on our networks. Yes, it is inconvenient to have to enter extra information to prove that we are who we are but, like having to pay a subscription for a home alarm, the cost of protection is a lot less than the cost of loss.

There’s nothing wrong with being annoyed when your organization opts for MFA or other cybersecurity postures. I get a little frustrated with MFA from time-to-time myself; however, you need to remember that this minor friction for you may create enough deterrence to redirect hackers to easier targets. After all, like my mom always said, “Better safe than sorry.”