Trust You? I Just Met You! How Trust-On-First-Use Can Increase Your Security


Multi-Factor Authentication. You know you need it. But you find the cost of rolling it out is too high. Specifically, the operational cost of enrolling those 2nd-factor devices, assigning them to users, resetting them when forgotten, etc. So you do nothing and do not reap the benefits. Is there an alternative?

Yes. We can instead employ a trade-off in security and cost called Trust On First Use. Imagine, a user is sent an email “Your account now has 2-Factor Authentication enabled. On your next login you will be forced to enroll”. We can reduce the risk by reducing the time window. Instead, that email might say “You must login in the next 24-hours and enroll”.

So the tradeoff here is simple. We know multi-factor authentication dramatically reduces risk, permanently. And, we are trading off the risk that a bad actor is able to guess a password and log in during this time window. But, if they do, the person who’s account they are masquerading will discover (since they can no longer log in since they don’t have the 2nd factor).

This can work for any type of 2nd-factor. It can be a software application (Time-based One-Time Password, TOTP, like Authy, Google Authenticator, etc). It can be a Universal 2-Factor U2F device (like a YubiKey, Google Titan). It can be a push-technology (Web Push Notification, SMS, a Messenger). The key here, the user is presumed trusted the first time (for some time window). They self-enroll. This skips the steps of the IT team having to manage enrollment.

When your organisation rolls out Multi-Factor, they systematically reduce risk. The Trust-On-First-Use itself is not higher risk than not using multi-factor. Use this approach to get MFA rolled out today.

Trust-On-First-Use is not appropriate for encryption (where a MITM attack can render it pointless), but I feel it works well for authentication of a person where you already have a single-factor, and, your alternative is to continue to have only a single factor.

Every one of your users has a mobile device (trust me). All mobile devices support Web Push Notifications. You can use this, their browser, their device, as your 2nd factor. It costs you nothing, the convenience for the user is high.