On 7th June 2023 the Office of the Privacy Commissioner (OPC) released a statement stipulating that organisations holding personal digital information are expected to deploy two factor authentication across the business. Deputy Privacy Commissioner Liz MacPherson was quoted as saying “If you are a small business that has a cyber-related privacy breach and don’t have at least two-factor authentication in place, expect to be found in breach of the Privacy Act.”
The New Zealand Privacy Act stipulates that an organisation must take all reasonable steps to protect any personal data they hold. This OPC statement removes any doubt about its expectations around what is considered a reasonable effort to protect such personal data. Because most government agencies and private businesses will manage at least some amount of personal data, we can assume that two-factor authentication is expected to be the de facto standard across New Zealand going forward.
All access to modern computer systems is granted through some form of digital identity, which enables the person to access certain information. The process of establishing someone’s identity requires authentication. In general, there are three basic types of authentication factors:
Examples for something you know may include passwords, PIN, connect the dots. Examples for something you have may include a USB token, a smartcard, a cell phone number, an RFID transmitter, or another form of dongle. Examples for something you are include biometrics, such as fingerprints, a retina scan or perhaps your smell.
When talking about two-factor authentication (2FA) - or multi-factor authentication (MFA) - we are suggesting that single-factor authentication (1FA), which we commonly understand to be password authentication, is insufficient to establish the digital identity of a user or staff member.
OPC reference NZ CERT about options for establishing two-factor authentication. What NZ CERT doesn’t discuss in detail is the rising tide of MFA fraud that security researchers are observing in the field. Recent publications document over 150 different ways in which MFA can be fraudulently circumvented. Researchers are stressing the need to deploy phishing-resistant MFA to provide for two-factor authentication.
Phishing-resistant MFA include any solutions that are compliant with NIST 800-63-B AAL3. FIDO2 and Passkey are industry solutions that are emerging in 2023, with Google being the first of the “big three” to enable the technology for all Google Accounts (3rd May 2023). After more than a decade of research by FIDO, the vendor rightly calls this “The beginning of the end of the password”.
If you are looking for an assessment of your enterprise security posture or require help in securing your organisation’s digital identities via multi-factor authentication, please contact OSS Group via firstname.lastname@example.org.