By Marcin Szary, CTO and co-founder, Secfense
American Login.gov service, the UK National Health Services Login application, the Czech DNS registry, the Swedish educational system eduID. These are just a few of many government applications from around the world, whose security is now protected by Multi-Factor Authentication (MFA). More and more heads of state, including the president of the United States Joe Biden, are calling for the implementation of MFA. Will this step protect countries from cybercriminals?
The popularity of MFA, i.e. the use of an additional component when logging in to the application (a one-time code, cryptographic U2F key, or another form of additional authentication) grows noticeably. Cybercriminals don’t waste their time, and the fast digitalization of everyday life only makes things better for them. We buy online more and more often, so the number of online transactions is growing. Enterprises are investing in cloud technologies, businesses are moving to the virtual world. This stimulates the audacity of cybercriminals, which in turn pushes governments into introducing stricter and stronger cybersecurity regulations. Today, the need to protect against cyberattacks is not an extra consciousness, but simply a necessity.
How does this relate to MFA? Well, multi-factor authentication ensures that the person sitting on the other side of the monitor is exactly who they say they are. By implementing MFA, organizations can secure their data so it cannot be accessed by any bad actor who has stolen logins and passwords. The technology giants have known about it for years.
Recent research shows that the global size of the MFA market will grow from USD 11.1 billion in 2021 to USD 23.5 billion by the end of 2026. However, many companies have previously recognized the pressing need for global MFA adoption in their organizations. Facebook, Google, and Twitter were the first to implement this technology. Others, such as CA Technologies, Vasco Data Security International, RSA Security LLC, or Symantec Corporation, anticipating in 2016, the growth of the market, just then began large investments in research and development in this area.
My way or the highway
There is no need to convince anyone about the effectiveness of MFA as the technology giants have already battle-tested it. Google corporation has kept 85K employees from getting phished since 2017. A recent declaration proving that MFA is the ‘must have’, comes from Mark Risher, Sr Director of Product Management at Google. On May 6, 2021, he informed the media that soon Google account holders will be forced to use multi-factor authentication if they still want to use the company’s services.
And you can’t be surprised at all because today no company network is no longer a secure castle that cannot be accessed by outsiders. On the contrary – the growing number of applications in the cloud, working from home and from unsecured networks means that every person who appears in our network must be treated as an intruder. This approach is called the zero trust security model where the key to effective data protection is making sure we know who the person sitting on the other side of the screen is. Without this certainty, no security measures are effective.
A Google study found that simply adding a recovery phone number to an account prevents nearly 100% of automated bots attacks, 99% of mass phishing attacks, and 66% of targeted attacks.
Too expensive, too hard
So why is MFA – considered by experts to be one of the most effective methods of protecting the user against identity theft – only used on a handful of applications and not organization-wide?
The main problem with the widespread adoption of MFA in public organizations and institutions is the complexity and costs. The implementation of multi-factor authentication throughout the entire organization requires a lot of capital and time. The highly heterogeneous IT environments, to which it is difficult to match the right tools, are also a big obstacle.
One of the approaches to cybersecurity is the user access security broker approach which simply adds MFA between the application and the user. The security broker is placed as an intermediary layer that blends into the application, giving full control not only over the authentication phase but over the entire user session. Importantly, such action does not require any programming work. It frees from the vendor lock-in, and lets organizations take advantage of any MFA method, including the latest and safest authentication standards, such as FIDO2.
The example comes from above
Due to the fact that MFA is a method that effectively protects organizations against phishing and credential theft, governments of many countries around the world have also become interested in its adoption.
A few months ago, on May 12, 2021, there was big news in the cybersecurity world – president Joe Biden signed an executive order to improve the nation’s cybersecurity. The order called for the implementation of two-factor authentication (2FA) for the entire government within 180 days. And at September’s Authenticate Virtual Summit, users, experts, and vendors from around showed many case studies of how strong authentication helps with securing online identities. Participants, including representatives from the UK’s National Health Service (NHS), US’s login.gov, and the Internal Revenue Service (IRS), agreed that authentication and protection of digital identities is a top priority today and in the future.
2021 has shown that the way world governments think about MFA is fundamentally changing. The role of FIDO2, a global, open authentication standard developed by the FIDO consortium and then approved by the W3C (World Wide Web Consortium), is growing rapidly. It seems that FIDO2 authentication is no longer just yet another authentication option but it is becoming the preferred choice of many government institutions as well as private organizations.
How does it look in practice? For example, the governmental Canadian Digital Service has implemented hardware security keys that support all FIDO2-based methods. The authentication process with their help is very simple – when logging in, e.g. to email, you have to enter the password and additionally authenticate by inserting the security key into the USB port and pressing a button. In the case of CZ.NIC, the Czech DNS registry, also accredited by the national digital identity provider and by eIDAS mojeID, 800,000 users can log in to government services based on FIDO2 from September 2021. In Sweden, a digital identity system has been implemented in the educational eduID portal with support for authentication using the Universal Second Factor FIDO (U2F) protocol.
In the USA, the American Login.gov service is based on the FIDO2 standard as well, and in the United Kingdom, the UK National Health Services Login application uses biometrics. Similar practices are
followed by the Korean government – a second component, fingerprint biometrics for 14 million users – and Thailand has a dedicated website that helps organizations set up multi-factor authentication using FIDO technology.
Overall, the government’s move towards MFA to provide a scalable and cost-effective form of strong authentication is perfectly understandable. Governments and public organizations are forced by the constant exposure of countries to attacks by frequent cyberattacks as well as the growing pressure to increase access to public information and accelerate action – especially in times of a pandemic – simply forces governments to take steps that will ensure sensitive data to be protected with the highest possible measures.
Hopefully, the public officials and decision-makers will take into account the global adoption of MFA, and not only secure a fraction of government infrastructure with MFA. Only the global approach and the introduction of the zero-trust security model have a chance to solve problems of identity theft and data leaks.
Marcin Szary is a co-founder, CTO, and the person responsible for Secfense architecture and product development. Marcin has almost 20 years of technical experience with a focus on the security and identity management space. Before Secfense he held the position of CTO in multiple startups in the mobile, telecom, and security space. He was held responsible for R&D operations in the area of multi-factor authentication, mobile payments, notification services within GSM networks, and more.