Public sector organisations shouldn’t rely on mobile-based authentication

It is crucial that effective measures are put in place to counter the strength of modern cyber threats, not just relying on mobile-based authentication

Cyberattacks against the public sector are on the rise, with education and healthcare organisations, government agencies and critical national infrastructure all being targeted on a frequent basis

Cybercriminals know the impact of downtime or data breaches on these organisations causes huge disruption, and therefore continue to exploit weaknesses in their online infrastructure. This, in return, interferes with vital services, steals sensitive data and spreads misinformation.

Many organisations are overly dependent on the use of outdated methods

When it comes to mitigating these attacks, more effective measures must be put in place to counter the strength of modern cyber threats. A lot of the difficulty with maintaining effective cybersecurity throughout the public sector is ensuring that internal login methods are as secure as possible since many organisations are overly dependent on the use of outdated methods such as passwords and usernames and mobile-based authentication.

While mobile devices offer numerous benefits, including ease of access, convenience and a sense of security, they are also easy to break, lose or steal – and, therefore open organisations up to numerous cybersecurity risks.

Nevertheless, countless companies use a combination of passwords and mobile devices to authenticate access to their internal data. This, along with poor cyber hygiene by staff, leaves them vulnerable to cyberattacks and increases the chance of significant data breaches.

The problem with mobile-based authentication

In addition to being easily lost, damaged or stolen, mobile devices can easily run out of battery – rendering them useless in a situation where one needs to authenticate immediately. They also offer limited use as authentication methods in locations with reduced mobile coverage or security restrictions. In these cases, users who need to authenticate via mobile devices cannot access their digital accounts.

But even in the right environments, mobile devices are not as secure as many would believe.

Indeed, our recent State of Global Enterprise Authentication Survey demonstrates that 66% of UK respondents think that usernames and passwords, mobile authenticator apps and SMS-based authentication are the most secure ways to log in.

66% of UK respondents think that usernames and passwords, mobile authenticator apps and SMS-based authentication are the most secure ways to log in

However, from a cybersecurity perspective, passwords and mobile-based authentication methods – including SMS verification, one-time passwords (OTPs) and authentication apps – are susceptible to many common cybersecurity threats. These include phishing scams, man-in-the-middle (MitM) attacks, password spraying and SIM swapping. All of these can lead to devastating data breaches caused by phishing and ransomware attacks.

Improving cybersecurity methods

Our research also revealed that many organisations in the UK are using these outdated authentication methods: 53% of respondents rely on usernames and passwords as their primary way to log in at work, while 24% use SMS-based authentication, and 19% use mobile OTP or push authenticator apps.

Of course, it’s still better to use passwords and mobile authentication solutions compared to having no cybersecurity measures at all – and not all forms of MFA are equal. However, these methods are even less resilient against modern cyber threats when paired with poor cyber hygiene, so it’s vital that organisations frequently train their staff on best-practice cybersecurity habits and explain how employees might be putting the company at risk.

Only 42% of respondents working in the UK are required to attend frequent cybersecurity training

Currently, only 42% of respondents working in the UK are required to attend frequent cybersecurity training. This is concerning as employees are the biggest strength or weakness in an organisation’s cyber defences, but they are not being adequately equipped. When it came to lapses in cyber hygiene over the last year, 49% of UK respondents used work-issued devices for personal use, 47% admitted to writing down or sharing a password, 33% had allowed someone else to use their work-issued device and 31% had not reported a phishing attempt.

These and other poor cyber hygiene practices put work-issued devices – and ultimately the organisation itself – at significantly higher risk of being compromised by cybercriminals. With this in mind, upgrading authentication methods and training staff on cyber hygiene practices should be prioritised.

Towards a passwordless future

As part of ongoing digital transformation programmes, organisations are increasingly opting for more modern, robust and user-friendly forms of multi-factor authentication (MFA) and two-factor authentication (2FA). It is worth noting that there are different types of MFA and 2FA requiring either passwords or PINs, mobile or hardware-based devices or biometric identifiers, and so some methods are more secure than others.

Overall, strong MFA authentication solutions – such as hardware security keys or identity credentials unique to a specific user, such as fingerprints – remove the reliance on passwords or mobile devices and allow users to seamlessly access their digital accounts by presenting phishing-resistant authentication. Despite authentication methods using hardware-based security keys being among the phishing-resistant solutions recommended by the National Cyber Security Centre (NCSC), only 11% of UK respondents currently use them.

Thanks to FIDO protocols, security keys enable authentication without any password being entered at all. An increasing number of global organisations and technology conglomerates – including Apple, Google, Microsoft and the US Government – are seeing the value in this and have implemented passwordless authentication for themselves.

Public sector organisations should strive to make life simpler and safer for everyone

Instead of making staff responsible for following the recommended cybersecurity practices, public sector organisations should strive to make life simpler and safer for everyone by implementing phishing-resistant passwordless solutions. As well as being far more robust than other conventional security methods, they are also easy and convenient to use – leading to a better user experience. Most importantly, implementing these solutions can help organisations substantially enhance their digital security.

Mobile devices have numerous benefits to users, but they were not specifically designed for secure authentication, so the perception that usernames and passwords, combined with mobile devices, add up to effective and secure authentication is incorrect and must change. Although implementing any form of change is not an easy feat, providing effective data protection and securing our most valuable information is a top priority, especially when it concerns critical public services.