Blog

by Jonathan Nystrom

The past year has seen more cyberattacks on lawyers than ever before and the problem continues to get worse. More than 80% are the result of misused login credentials, i.e. usernames and passwords. Both Microsoft and Google say that implementing multifactor authentication (MFA) can reduce your risk by 99.9%, and many law firms have taken that message to heart by implementing MFA as part of their cybersecurity program. And it’s working! Microsoft reports 20 billion attacks daily but only about 1 million successful breaches each day. That’s still a spectacularly expensive proposition when you consider that the average law firm breach costs $133,000 and that last year 25% of all law firms encountered a breach.

MFA solutions – tokens, PIN codes, biometrics, and more recently authenticators on phone apps – are pretty inexpensive, with many starting at less than $5/user/month. We wondered how practicing lawyers feel about using these technologies in their day-to-day lives. Certainly, many are grateful for the added protection that supports their ethical duty of care, protects client information, and keeps secrets hidden on a PC or a network… well… secret.

But there is a catch. A prominent technologically sophisticated partner at an NLJ firm told us “this f’ing MFA ensures that I start every day working from home in a bad mood, usually late for my first Zoom call because I can’t get the damn code entered fast enough.” An associate in a mid-sized firm in the Midwest said, “I don’t mind it, but I do usually spend 3-5 minutes going through the MFA process before I am focused and back at work. And every now and then, it’s a substantial waste of time.” And those stories are not unique: Dozens of attorneys told us they wish MFA were easier and took up less time.

Let’s look at the numbers: With a billable rate of $300/hour, a professional’s time is valued at $5/minute. If the login process consumes just 3 minutes a day, that’s a cost of $3,600 per lawyer per year. In a 100-attorney firm, that’s a staggering $360,000 missing from the drawer when it’s time to divvy up compensation at the end of the year!

Now let’s look at some additional hidden costs. If cumbersome MFA leads to password resets, or you’ve simply misplaced your iPhone at the moment you need to login, it can multiply the time lost and consume 20-30 minutes in a given day, not to mention the IT staff time spent managing and administering the system. In addition, the opportunity cost from a lack of availability or responsiveness can be incalculable in a world where decisions are made in seconds and the “always on” internet has created client expectations of nearly instant access to counsel on demand.

So, what can a firm do about it?

The answer starts with re-thinking how MFA is implemented. MFA started as 2FA (2-factor authentication) on the premise that a password protects access when it is kept a secret, but if it is learned by a bad actor, the likelihood of the bad actor having a 2nd step is lower. What kind of second step? It could be something you are (your face, fingerprint, retina) or something you know (answer to a question, a PIN code). The premise was that it is – by design – a second step.

What if MFA could be performed WITHOUT a second step? When you enter your password, your regular authentication confirms that it was the right characters typed in the right sequence. But then, with no change whatsoever in your login process, a second piece of software analyzes in super slow motion the physical movement associated with HOW that password was typed. As it turns out, at that level every individual’s subconscious behavior is as unique as a fingerprint (based on the results of an academic study). And the check is performed in real-time, with no delay.