In 2015, myGov was caught in a bit of a security snafu when it encouraged users to turn off two-factor authentication so that users ‘can spend more time doing the important things’.
After tweeting that users out of mobile range should turn off myGov Security Codes, twitter followers suggested that downgrading security when users were in vulnerable places (i.e using wifi from a café) defeats the purpose of using additional layers of security.
myGov defended the tweet by stating that users “still need to securely sign in with secret questions & answers”, but according to the UK tech publication, Ars Technica, requesting additional information is still not the best replacement for two-factor authentication.
So is two-factor authentication the answer to digital governments security woes?
Let’s take a look at what two-factor authentication is and why it may be seen as a good option to secure your digital services.
What is two-factor authentication?
A few weeks ago the GovInnovate team looked into digital identity and the DTOs Trusted Digital Identity Framework, and we asked one simple question: is it easy for people to prove who they are when using digital government services?
Any Tom, Joe or Harry could easily access someone’s personal information if they got a hold of a login and password and they were connected to other government services. So how can you make sure the person logging in with a username and password really is that person associated with that set of digital information?
Two-factor authentication is a method of confirming a users identity by utilising a combination of two different components, and according to many security aficionados, it’s the way to go for secure services.
Otherwise known as 2FA, two-factor authentication is a kind of multi-factor authentication that requires the user to confirm their identity from something they know (ie a secret question), something they have (ie a phone) or something they are (ie a fingerprint).
If you’re new to the idea there is still a high possibility you’ve experienced 2FA in your everyday life. For example, you’re trying to transfer funds online and it prompts you to use a pass code that’s been sent to your mobile phone. Only the owner of that mobile phone will receive the pass code, and if the bank has done its security checks during enrolment, it would be nearly impossible for anyone other than you to access your online account with 2FA.
There are a range of different methods used to ensure your user is who they purport to be:
Time synced and token-based
Users are provided with a physical token that displays on the screen and is only valid for a certain amount of time. The server needs to verify that the login details and the number displayed all match before access is granted.
Certificate-based smart card login
A user is presented a physical object such as a smartcard that has a private key stored on it. When prompted to login, the user is required to use their username and password as well as verifying their details via an authentication request with their private key.
SMS-based one time authentication
This is becoming a very popular authentication method given the high use rates of smartphones. In this instance the smartphone is used as an inexpensive second factor where a one-time, time-limited additional password or PIN needs to be provided after it’s sent to their mobile phone.
This mechanism requires the user to login with a username and password as well as presenting a biotmetric like a fingerprint or a facial recognition scan.
A software-based certificate is stored in the registry and it requires a pin or password to be unlocked. Consider this a software version of certificate-based smartcards.
So now that we know about the different kinds of multi-factor authentication methods, let’s take a look at how they can specifically help the public sector in securing digital services.
Why is it so suitable for digital government services?
Agency after agency has heralded multi-factor authentication as one of the most effective controls that can be implemented to prevent cyber intrusions.
We touched on it above wit the example of transferring money online, but lets delve a bit deeper into the logic behind it.
Firstly, if you go by the idea that data is the new gold, then it’s fair to say that cyber adversaries will be seeking to steal as much information as they can. This includes user credentials to things like a username and password (remember the infamous Ashley Madison data breach), but it comes to information that can be stored within public sector registries, it’s important that the proper security measures are put in place to prevent intrusions.
When multi-factor authentication is implemented properly, it makes it incredibly hard for malicious protagonists to steal credentials. After all, it would be seen as nearly impossible to replicate a finger to obtain access to a personal account.
The Victorian Government CIO Council developed a whitepaper titled Strength of Authentication Mechanism that states that at minimum there should be 2/one factor authentication required before users can access government infrastructure.
In fact, the paper recommends going even further than implementing one mechanism for two-factor authentication and states that an amalgam should be used consisting of user IDs and passwords, hardware tokens and one-time passwords via mobile phones to ensure the right security measures are met.
Are there any alternatives?
Singapore has led the globe when it comes to smart nations, and it seems as though they are now taking strides in the digital identity space too.
Earlier this year, Singapore’s minister in charge of the Smart National Initiative, Dr Vivian Balakrishnan revealed in a speech that he wants to move beyond the current two-factor authentication process to some form of public key infrastructure.
And further in the US, any service provider that utilises SMS-based one time authentication may need to rethink their strategy to something more secure in an effort to combat number spoofing.
It’s estimated that SMS authentication in the US will be replaced by more secure methods such as delivering a one-time password via push notifications through a secure app, which may mean that government services turn out like the Victorian Governments predictions on amalgamating a few different methods.
There is no doubt that as technology makes it easier for people to pump personal information ‘into the grid’, we’ll need secure measures of making sure cyber intrusions don’t occur. For now our most secure way is to start with two-factor authentication and then to assess where technology is taking us from there.
Hopefully Australia will be able to learn from innovation in Singapore and the US, but only time will tell if this will occur.