Playing with more user-friendly methods for multi-factor authentication

Summary

When I tell people I work on authentication software, I nearly always hear some version of the same story: I hate multifactor authentication. No, really. People hate this stuff. So I spend a lot of time thinking about how we can make MFA a better user experience. We don't always need MFA to be airtight, after all. Sometimes, the Google match-a-number MFA flow is good enough. I thought I'd share here my best ideas for the future of multi-factor authentication. Here they are. The big blind We like entropy in auth factors, so it's intuitive to start with a familiar example of randomness: playing cards. For example, Wikipedia says there are about 2.5 million unique poker hands. That makes poker hands a compelling secondary authentication factor. Here's what a simple version of the UI could look like: challenge the user to pick exactly five cards from a set of 52. It's incredibly easy to remember your hand. Just ask any of your friends that play poker -- they can surely remember a bad beat. And it's pretty much impossible for an attacker to guess. Cubes This one's a bit tougher than poker, but it's much less risky. (I'm not sure how comfortable I am with just 2.5M possibilities). Instead of having the user pick 5 cards from a deck of 52, we have the user scramble a digital Rubik's cube. Then, when the user logs back in, they just have to scramble the cube in exactly the same way. Easy. Here's what it'd look like: We can rest easy knowing that there are roughly 4.3 x 10^19 possible configurations of the cube. The Shannon number If we're looking for even more entropy in our auth factors, we could use chess games as an option. It's been estimated that there are 10^120 possible chess matches. That's a nice big number. Imagine this: when you set up your account, you play out a chess match. When you log back in, you play out the exact same chess match. It's like a second password! There's no chance anyone would ever guess your chess match correctly. It's clean and intuitive. H...