Mandatory MFA across governments makes for maze of regulations

Passwordless authentication is an ongoing sparring match between the quest to simplify identity verification for logins and the punchback of regulation. In a presentation at Authenticate 2024, consultant Tola Dalton draws on his experience leading identity engineering for eBay and bringing multi-factor authentication (MFA) to millions of sellers in the EU and UK, to break down the global landscape of regulations mandating MFA, and how biometrics fit into the picture.

MFA can combine knowledge (password), possession (SMS code) and inherence (biometric) factors. Currently, big players deploying standard-issue MFA include Intuit, Amazon and Microsoft. But “current MFA heavily relies on SMS and other non-ideal factors,” Dalton says, noting that SMS is not just leaky on the security side, but also expensive: “you’re paying for every text you send.” Rolling out SMS-based one-time password (OTP) MFA to millions of users could cost millions of dollars.

Statistically, Dalton says, “MFA is a proven win for security.” That means governments have taken note and started enacting regulations mandating MFA. He points to Europe and the UK as leaders on MFA, with the introduction of the Revised Payment Services Directive (PSD2), which requires MFA when accessing a payment account or performing payment transactions.

In the U.S., there are NIST guidelines rather than mandates. There is the FTC Safeguards rule requiring workforce MFA for access to customer data. And all government agencies are legally required to implement MFA. Still, Dalton says, the situation is spottier than in the EU/UK.

Elsewhere offers a patchwork: Singapore has something similar to PSD2, and select institutions in Australia and India both have some regulations around MFA. Each brings its own specific framework on what factors are allowed for MFA.

Biometrics for 2FA bring increased security, tighter regulation

The advantages of biometrics for authentication, says Dalton, are stronger security, low ongoing costs and a high success rate. The risks are largely related to technical and regulatory complexity. “Implementation specifics are critical. There are a lot of choices you have to make when you’re putting biometrics in place.” Vendor or internal? Device-bound biometrics or synched passkeys? User experience is also a factor, in that when MFA is required, bad UX can lock users out. Each decision, he says, will dictate success. And “regulatory requirements on biometrics really come into play here because there’s all kinds of things that will be accepted or not accepted depending on how you implement them.”

And, as always, definitions differ by regulator, adding to the tangle. For PSD2 to consider a biometric factor valid, the process must be “under the control of the issuer” – which means on-device biometrics do not qualify as an inherence factor. However, the public-private key that binds a device means FIDO authentication qualifies as a possession factor, so is still usable.

Things are slightly looser in the UK, where on-device biometrics are accepted as inherence factors as long as “appropriate risk measures” have been taken to link the device to the user.

Meanwhile in the U.S., NIST has begun to recognize FIDO biometrics as two factors in one (device-binding for possession and biometrics for inherence) – something most MFA regulations don’t allow for. But, Dalton muses, “wouldn’t it be a wonderful user experience, if for any mandatory MFA use case, you just use your fingerprint or face and you’re done.”

And yet: synched passkeys that leverage the cloud (i.e. non-device-bound passkeys) “erode their viability as a possession factor.” And yet again: additional metadata could help address this.

Growing impact of FIDO, passkey adoption likely to get regulators’ attention

Where does the maze lead? The world tends to follow the EU on tech regulations, and Dalton says a PSD3 is in draft stages. “With the expansion of FIDO and passkeys getting more popular, one thing we can bet on is that the regulators are closely looking at how to treat biometrics, FIDO and passkeys in their regulations going forward.”

Forward, he concludes, into “an uncertain future in the regulatory MFA landscape.”

“Regulatory MFA will expand. Biometrics have big advantages. And we need to continue to lobby for the right recognition of passwordless biometric factors including passkeys in regulation.”

Article Topics

Authenticate Conference  |  biometrics  |  FIDO Alliance  |  government services  |  multifactor authentication  |  passkeys  |  passwordless authentication  |  regulation