Chris's Wiki :: blog/tech/MFAAccountRecoveryDistrust

A bunch of third party websites really want you to use multi-factor authentication these days. Some of them aren't giving some people a choice about it; for example, PyPI recently mandated MFA for sufficiently popular projects. I have decidedly mixed feelings about this in general, and I've realized that one reason for them is that I don't trust the some of the potential failure modes of multi-factor authentication. Specifically, the ones related to 'account recovery', also known as what happens when things go wrong with your MFA-related devices.

There's no general account recovery problem with MFA. For example, if the MFA hardware token from my employer was lost or destroyed, I'd report it and various processes would happen and a new one would show up and get registered to me. If the MFA I used with my bank was lost, I'd go to my bank branch to talk to them, and eventually things would get reset. But both of these situations have some things in common. I can actually talk to real people in both situations, and both have out of band means of identifying me (and communicating with me).

Famously, neither of these is the case with many large third party websites, which often have functionally no customer support and generally no out of band ways of identifying you (at least not ones they trust). If you (I) suffer total loss of all of your means of doing MFA, you are probably completely out of luck. One consequence of this is that you really need to have multiple forms of MFA set up before you make MFA mandatory on your account (better sites will insist on this). People advise things like multiple hardware tokens, with some of them carefully stored offsite in trusted locations. This significantly (or vastly) raises the complexity of using MFA with these sites.

More broadly, this is a balance of risks issue. I care quite a bit about the availability of my accounts, and I feel that it's much more likely that I will suffer from MFA issues than it is that I will be targeted and successfully phished for my regular account credentials (or that someone can use 'account recovery' to take over the account). If loss of MFA is fatal, my overall risks go way up if I use MFA, although the risk of account compromise goes way down.

(As a side note, this is likely not PyPI's situation. PyPI is apparently giving people security keys, and is clearly in touch with these people through additional channels. If PyPI considers you and your package critical, it's very likely that you can recover from an MFA loss. PyPI here is much more like my employer than it is like, say, Google. But most random websites that ask me to enable MFA are much more like Google than PyPI.)

(This isn't my only issue with 'you must have MFA' requirements, but it's a starting point.)