Cookie Settings
Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Other cookies are those that are being identified and have not been classified into any category as yet.

No cookies to display.

Trust You? I Just Met You! How Trust-On-First-Use Can Increase Your Security


Multi-Factor Authentication. You know you need it. But you find the cost of rolling it out is too high. Specifically, the operational cost of enrolling those 2nd-factor devices, assigning them to users, resetting them when forgotten, etc. So you do nothing and do not reap the benefits. Is there an alternative?

Yes. We can instead employ a trade-off in security and cost called Trust On First Use. Imagine, a user is sent an email “Your account now has 2-Factor Authentication enabled. On your next login you will be forced to enroll”. We can reduce the risk by reducing the time window. Instead, that email might say “You must login in the next 24-hours and enroll”.

So the tradeoff here is simple. We know multi-factor authentication dramatically reduces risk, permanently. And, we are trading off the risk that a bad actor is able to guess a password and log in during this time window. But, if they do, the person who’s account they are masquerading will discover (since they can no longer log in since they don’t have the 2nd factor).

This can work for any type of 2nd-factor. It can be a software application (Time-based One-Time Password, TOTP, like Authy, Google Authenticator, etc). It can be a Universal 2-Factor U2F device (like a YubiKey, Google Titan). It can be a push-technology (Web Push Notification, SMS, a Messenger). The key here, the user is presumed trusted the first time (for some time window). They self-enroll. This skips the steps of the IT team having to manage enrollment.

When your organisation rolls out Multi-Factor, they systematically reduce risk. The Trust-On-First-Use itself is not higher risk than not using multi-factor. Use this approach to get MFA rolled out today.

Trust-On-First-Use is not appropriate for encryption (where a MITM attack can render it pointless), but I feel it works well for authentication of a person where you already have a single-factor, and, your alternative is to continue to have only a single factor.

Every one of your users has a mobile device (trust me). All mobile devices support Web Push Notifications. You can use this, their browser, their device, as your 2nd factor. It costs you nothing, the convenience for the user is high.