The number of governments that introduce Multi-Factor Authentication to protect sensitive data is growing rapidly.
Governments introduce Multi-Factor Authentication
American Login.gov service, the UK National Health Services Login app, the Czech DNS registry, the Swedish educational system eduID. These are just a few of many government applications from around the world which are now protected by Multi-Factor Authentication (MFA). State leaders, including the president of the United States Joe Biden, are calling for the implementation of MFA. Will this step protect countries from cybercriminals?
The popularity of MFA, i.e. the use of an additional component when logging into an application (a one-time code, cryptographic U2F \ FIDO2 key, or another form of additional authentication) grows noticeably. The fast digitalization and digital transformation of everyday life only make things better for cybercriminals who find better and faster ways to compromise passwords.
We buy online more often than ever, and the number of online transactions grows rapidly every year. Enterprises are investing in cloud technologies, businesses are moving to the virtual world. This stimulates the audacity of cybercriminals, which in turn pushes governments into introducing stricter and stronger cybersecurity regulations.
Today, the need to protect against cyberattacks is not an extra consciousness, but simply a necessity.
Confirming identity with MFA
Multi-factor authentication ensures that the person sitting on the other side of the monitor is exactly who they say they are. By implementing MFA, organizations secure their data so it cannot be accessed by any bad actor with stolen credentials. The technology giants have known about it for years, now public and private organizations are following the steps of big tech early adopters.
Global adoption of Multi-Factor Authentication
Recent research shows that the global size of the MFA market will grow from USD 11.1 billion in 2021 to USD 23.5 billion by the end of 2026. However, many companies have previously recognized the pressing need for global MFA adoption in their organizations. Facebook, Google, and Twitter were the first to implement this technology. Other companies, such as CA Technologies, Vasco Data Security International, RSA Security LLC, or Symantec Corporation, anticipating in 2016, the growth of the market, just then began large investments in research and development in this area.
MFA obligatory for Google applications users
MFA has been battle-tested by the technology giants many times in the past. Google corporation has kept 85K employees from getting phished since 2017. A recent declaration proving that MFA is the ‘must have’, comes from Mark Risher, Sr Director of Product Management at Google. On May 6, 2021, he informed the media that Google account holders will be forced to use multi-factor authentication if they still want to use the company’s services.
– Company networks are no longer secure castles that cannot be accessed by outsiders. On the contrary – the growing number of cloud applications and work-from-home phenomenon means that every person who appears in our network must be treated as an intruder. This approach is called the zero trust security model – explains Marcin Szary, CTO & co-founder of Secfense. – The key to effective data protection is to make sure we know who the person sitting on the other side of the screen is. Without this certainty, no security measures are effective. – Szary adds.
A Google study found that simply adding a recovery phone number to an account prevents nearly 100% of automated bots attacks, 99% of mass phishing attacks, and 66% of targeted attacks.
MFA adoption challenges
So why is MFA – considered by experts to be one of the most effective methods of protecting the user against identity theft – yet still used on a handful of applications and not organization-wide?
The main problem with the widespread adoption of MFA in public organizations and institutions is the complexity and costs of implementation. The implementation of multi-factor authentication throughout the entire organization usually requires a lot of capital and time. The highly heterogeneous IT environments, to which it is difficult to match the right tools, are also a big obstacle.
– One of the approaches to MFA implementation is the user access security broker approach. It simply adds MFA between the application and the user. The security broker is placed as an intermediary layer that blends into the application, giving full control not only over the authentication phase but over the entire user session. Importantly, such action does not require any programming work. It frees from the vendor lock-in, and lets organizations take advantage of any MFA method, including the latest and safest authentication standards, such as FIDO2 – says Marcin Szary, co-founder & CTO at Secfense.
State leaders impose the use of MFA
Due to the fact that MFA is a method that effectively protects organizations against phishing and credential theft, governments of many countries around the world have also become interested in its adoption.
On May 12, 2021, there was big news in the cybersecurity world – president Joe Biden signed an executive order to improve the nation’s cybersecurity. The order called for the implementation of two-factor authentication (2FA) for the entire government within 180 days. And at September’s Authenticate Virtual Summit, users, experts, and vendors from around the world showed many case studies of how strong authentication helps with securing online identities. Participants, including representatives from the UK’s National Health Service (NHS), US’s login.gov, and the Internal Revenue Service (IRS), agreed that authentication and protection of digital identities is a top priority today and in the future.
– When we talk about zero trust security, we mean architecture in which people and their devices are not ‘trusted’ just because they are in the organization’s network – adds Marcin Szary. – You have to remember that a large number of attacks take place from within the organization’s network. The fact that more and more governments are taking care of the global adoption of multi-factor authentication is not surprising but rather a natural trend or simply a necessity.
2021 has shown that the way world governments think about MFA is fundamentally changing. The role of FIDO2, a global, open authentication standard developed by the FIDO consortium and then approved by the W3C (World Wide Web Consortium), is growing rapidly.
– FIDO2 authentication is no longer yet another authentication option – continues Marcin Szary from Secfense. – It is becoming the preferred choice of many government institutions as well as private organizations.
How does it look in practice? For example, the governmental Canadian Digital Service has implemented hardware security keys that support all FIDO2-based methods. The authentication process with FIDO2 is very simple – when logging in, e.g. to your email, you have to enter the password and additionally authenticate by inserting the security key into the USB port and pressing a button. In the case of CZ.NIC, the Czech DNS registry, also accredited by the national digital identity provider and by eIDAS mojeID, 800,000 users can log in to government services based on FIDO2 from September 2021. In Sweden, a digital identity system has been implemented in the educational eduID portal with support for authentication using the Universal Second Factor FIDO (U2F) protocol.
– In the USA, the American Login.gov service is based on the FIDO2 standard, and in the United Kingdom the UK National Health Services Login application uses biometric authentication – adds Marcin Szary. – Similar practices are followed by the South Korean government – a second component, fingerprint recognition for 14 million users – and Thailand, has a dedicated website that helps organizations set up multi-factor authentication using FIDO technology.
The government’s move towards MFA
Overall, the government’s move towards MFA to provide a scalable and cost-effective form of strong authentication is perfectly understandable. Governments and public organizations are forced by the constant exposure of countries to attacks by frequent cyberattacks as well as the growing pressure to increase access to public information and accelerate action – especially in times of a pandemic – simply forces governments to take steps that will ensure sensitive data to be protected with the highest possible measures.
Hopefully, the public officials and decision-makers will take into account the global adoption of MFA, and not only secure a handful of apps with MFA but the whole government infrastructure. Only the global approach and the introduction of the zero trust security model have a chance to solve problems of identity theft and data leaks.