Phishing is on the rise for one simple reason: it is a relatively inexpensive and effective attack that places the onus of security on the end-user.
FREMONT, CA: Many users reuse passwords; once they are compromised, they can be used to breach other systems and circumvent traditional network security measures. As the frequency of such authentication-based cyberattacks increases, governments worldwide are pursuing policies to encourage the adoption of multi-factor authentication (MFA) solutions that can prevent password-based attacks and better protect critical data and systems.
Governments can best protect critical assets in cyberspace by adhering to six key authentication policy principles:
First, have a strategy in place to handle authentication.
While strong Authentication is only one component of a comprehensive cyber risk management strategy, any cyber program that lacks it is severely deficient.
Recognize the boundaries of shared secrets in terms of security.
Policymakers should be aware of the drawbacks of first-generation MFA technologies that rely on shared secrets, such as OTPs, and seek to encourage the adoption of more secure alternatives, such as FIDO authentication standards, which use public-key cryptography and store keys on — and never leave — the user's device.
Ensure that authentication solutions are mobile-friendly.
As mobile transaction usage increases, any policy that does not optimize the use of MFA in the mobile environment will fail to protect transactions conducted in that environment adequately.
Focus on standards and outcomes rather than any single technology or solution.
Authentication is experiencing a surge of innovation, and new, improved technologies will continue to emerge. As a result, governments should prioritize a principles-based approach to authentication policy that allows for the use of new technologies.
Choose authentication solutions that are simple to use to encourage widespread adoption.
Users are frustrated by poor usability, which prevents widespread adoption. Next-generation MFA solutions significantly reduce "user friction" while increasing security.
Policymakers should look for ways to incentivize the use of next-generation mfa that addresses both security and user experience.
Recognize that the old barriers to strong Authentication no longer exist. For example, the cost was previously one of the most significant barriers to MFA adoption; few organizations could afford to implement first-generation MFA technologies. Today, dozens of companies offer next-generation authentication solutions that are more secure than passwords, easier to use, and less expensive to deploy and manage.
By adhering to these six principles, governments can lay the groundwork for MFA policies that improve our collective cyber security and help to ensure greater privacy and trust online.
