The MFA Conundrum: Social Media Verification

How can social media platforms verify that their users are who they say they are? This question has become paramount for Facebook, Twitter, LinkedIn, and other platforms as instances of coordinated inauthentic behavior and CAMOSINT operations have become more prevalent.

Facebook may be exploring one solution to this challenge which requires its users to share a short video of their face with the platform in order to verify their identity. If this feature is implemented widely—and as of this writing there is no evidence to suggest that it will be—it will mark a significant advancement in Facebook’s account verification processes, and a sophisticated new approach to multi-factor authentication.

Multifactor authentication, or MFA, is a security measure in which the user provides at least two different types of credentials to verify that they have access to certain hardware, software or resources.

Deciding whether and how to enable MFA for your online accounts requires making trade-offs between security, convenience, and privacy. In some instances, for example, MFA will increase your account’s security, but may make it less convenient to access that account or require more identifying information to do so. This is the MFA conundrum, and navigating it effectively requires weighing your objectives for operating online with how the trade-offs between security, convenience, and privacy will affect your managed attribution.

Authentication can be divided into four different categories:

• Something you know, like a password or PIN.
• Something you have, like an RFID token.
• Something you are, like a fingerprint or retina scan.
• Somewhere you are, like a specific desktop computer in a secure room that contains specific files that are disconnected from your organization’s network.

MFA’s adoption among commercial users varies. In January 2018, a Google engineer reported that only 10% of Gmail users had enabled MFA, most commonly using a password combined with an authentication code sent to a mobile device (something you have).

For consumers, MFA increases their accounts’ security because the requirement for a second factor means that threat actors cannot just use a stolen password to access an account. It may also make logging into those accounts more convenient, if the second factor required is a user’s face or fingerprint. However, these gains come at the expense of privacy, as users are obligated to provide more identifying information.

Social media platforms potentially have the least trade-offs. Requiring MFA for user accounts helps to protect the platform from malicious or spammy activity, and can make it more convenient to tailor users’ experiences on the platform. The platforms themselves have few direct privacy considerations, although there can be considerable reputational risks associated with exposing users’ personal information.

Conversely, online operators may have the most trade-offs. While MFA secures their accounts, it may also be less convenient to operate multiple accounts. Moreover, any biometric requirements associated with MFA—such as Facebook’s advanced facial-recognition verification process—is likely to have a significant impact on operators’ managed attribution presence.

On the surface, MFA is an effective way to secure your online accounts. This security, however, is not without consequence. As consumers, most of us accept the increased security and convenience that MFA provides, even though it may require us to hand over more identifying information to social media platforms. Many of those same platforms are the arbiters of MFA requirements, but make few trade-offs themselves. Ultimately, online operators are the most likely to be impacted by MFA requirements. For this reason, it’s important to consider how your managed attribution will be impacted by the trade-offs of navigating the MFA conundrum.