Security has always been a struggle between usability and safety, and that struggle is definitely involved in deciding which MFA solution to use. Admins and IT are moving to MFA precisely to improve security. Many users really don't want the best security when it impacts usability. This chapter explores many of the main points of usability versus security. It contains lots of “hard truths” that can be surprising for some readers to learn. It might even seem a bit out of place for a book dedicated to MFA.

This chapter will start with a brief discussion of usability, and more detail on usability will be discussed in Chapter 23, “Selecting the Right MFA Solution.” The bulk of this chapter is dedicated to the value of usability when it's competing with security.

What Does Usability Mean?

MFA must be sufficiently user-friendly that people won't mind using it and thus management feels they can require it. It must work with the organization's critical applications and fit within the culture. Not all MFA solutions meet both criteria. No MFA solution works with everything. Organizations always have to pick which critical applications they will end up protecting with MFA.

And different organizational cultures seem more inclined to particular types of MFA. For example, an organization whose employees already use physical building entry cards are more likely to be open to smartcards. Companies that are “Google shops” are more likely to be open to Google security ...