The problem - at its very root - is 2FA or MFA just layers one bad method on top of another (as most stacks give the user options).
We're in the security business and know unequivocally: a) An authentication stack is only as good as the worst factor, b) PINs, passwords and legacy biometrics (fingerprint, 2D face, retina...) are either too easy to break, too intrusive or the ROI is far too low (ex: retina needs the right environment to work, takes too long and requires a device to be too close for daily comfort), and c) anything that takes antsy humans more than 4-5 seconds is not acceptable - and this is what we see *in practice*.
What is coming is smarter, faster AI-driven software-based biometrics that will allow us to be secure using one factor. For very-high-value transactions, though, additional verification is more than acceptable. Some friction in the process is okay (but not more than the magic 4-5 seconds!), and we actually expect friction if the stakes are higher (the effort must be worth the result). I'd be happy to spend another few seconds to make sure my $10K transfer was truly secure.
This is not a Google problem. It's an authentication technology problem.
Biting the hand that feeds IT
