I am building a new webapp and I am currently working on the multi factor authentication part. I would like to offer choice when it comes to MFA, and I’ve been thinking about what choices I can offer. I have a plan, but I’m worried that two of the options I am thinking of offering look more secure, but in fact are less secure than the basic option.
When setting up MFA on the account, I was thinking of a form something like (
[...] represents a form field):
In addition to every login, require MFA every [d] days. Require [All | Any n | n Random] factors, where n is [f]
Requiring All MFA is certainly the most secure, but is
Any n or
n Random better or worse than
All MFA with one less factor?
For example, is 2 factors where you don’t know which one will be asked for worse than 1 factor which you’re always asked. Is it also true for 3 factors, where 2 random factors will be asked for, vs a straight 2 factors always required?
It certainly adds extra hurdles from the point of view that you might have to get extra codes, but then again you could just keep trying (with delay) until you get asked for the right code, so it might not be much of a hurdle.
On the other hand, if I’m guessing/brute forcing, I have more chances to get it right if I don’t have to put in all factors. With the
Any 1 of 2 factors example, I have doubled my chances of guessing it as it can match either factor.
Should I just have
All MFA, or should I show the other options as well?