At the end of April, the Australian Communications and Media Authority (ACMA) will begin requiring all telcos to implement two-factor authentication (2FA) when customers transfer their phone numbers between providers.
ACMA member Fiona Cameron was quoted in ZDNet, explaining her support for this regulation: “Mobile number fraud can have devastating effects as scammers can gain access to bank accounts, email, social media and more... [V]ictims struggle to regain control over personal and financial information, often over the years."
For Australian businesses providing telco services, including virtual networks of any size, this new 2FA requirement demands immediate attention. Telecommunications companies that fail to comply can be fined up to $250,000.
But even if you're not directly involved in telecommunications services—and don’t operate in Australia—this news is important. It represents a global movement, in which lawmakers are increasingly treating multi-factor authentication (MFA) as a requirement rather than a mere recommendation.
What Australia’s Regulation Entails
On its face, ACMA’s 2FA requirement is fairly limited in scope. The law requires that when customers switch (or “port”) their mobile phone numbers from one provider to another, 2FA must be in use to ensure that the number is not being hijacked by scammers. The telco will implement 2FA by sending a one-time SMS code to a customer’s phone number or email.
2FA is the most common form of MFA. It’s more secure than logging in using a simple (easily stolen or hacked) password because it communicates with an account or device already associated with a user’s identity.
However, some have argued that SMS codes aren’t the strongest 2FA choice to break the cycle of fraudulent phone porting. Australian Communications Consumer Action Network chief executive Teresa Corbin told The Guardian, “We’d like to see the Acma require telcos to use highly secure forms of verification, such as hardware or software authentication tokens, which are generated with a mobile app.”
There may not be a perfect consensus on Acma’s solution, but no one denies that Australia’s specific focus on phone porting comes in response to a real security need. According to Paul Fletcher, Australia’s Minister for Communications, Cyber Safety and the Arts, scammers steal the identities of thousands of Australians yearly through fraudulent porting, costing an average of AUS$10,000 per victim.
"Find out why @acmadotgov’s 2FA requirement for all telcos to implement two-factor authentication (2FA) when customers transfer their phone numbers between providers is a global forerunner."
These attacks are often very targeted (unlike ransomware) in order to steal money by gaining access to financial accounts or bitcoin wallets. They are also used to target high-value people at companies (think admins) to access highly valuable resources. In 2018, Reddit was breached in one of these “SIM swapping” attacks, which prompted them to stop using SMS authentication in favor of token-based 2FA.
The biggest players in Australia's telecommunications industry (Telstra, Optus, and Vodafone) already require pre-port authentication, but the government believes smaller service providers also need to implement the requirement or risk attracting scammers to their networks. Those network providers will have until April 2020 to achieve compliance with the regulation.
Why Australia Is Getting Aggressive on Cybersecurity
Passing mandatory 2FA for telco is just one part of the Australian government’s broader effort to tighten cybersecurity. Last year, the government instituted the Notifiable Data Breach (NBD) program, requiring companies to notify individuals when their data has been compromised. Australia’s government is in the midst of overhauling its 2016 cybersecurity strategy, and MFA authentication was one of the “Essential Eight” security steps recommended by the Australian Signals Directorate in 2017.
While the telco 2FA regulation is highly targeted at phone porting, it’s still an indicator that Australia's federal government is willing to legislate 2FA in the name of consumer protection. This initial rule could be part of a regulatory framework that may spread to other industries. According to ZDNet, “the government believes there are still one million services that are yet to have these consumer safeguards implemented,” and these service providers may be under the microscope next.
However, the Australian government is clearly still weighing how forcefully to regulate businesses. The 2FA requirement is the first piece of policy to come out of Australia's Scam Technology Project, a partnership between industry and the government.
In September 2019, the government circulated a public survey soliciting input on the appropriate balance between industry self-regulation versus governmental intervention on matters of cybersecurity. The survey asks, among other things: “Do you agree with our understanding of who is responsible for managing cyber risks in the economy?” and “Do you think the way these responsibilities are currently allocated is right? What changes should we consider?”
"@acmadotgov’s 2FA requirement will provide better protection for people switching telco providers. Discover why it could pave the way for additional global MFA adoption."
MFA Is Becoming a Global Standard
While Australia’s law is a pioneer in specifically mandating 2FA for phone porting, MFA is increasingly required to do business with private corporations and certain government agencies and in order to be compliant with broader data privacy laws.
In June 2019, Microsoft announced that all of its Cloud Solution Providers (CSPs) had to use MFA. In the United States, the IRS requires that any federal, state or local employee accessing IRS data remotely must use MFA.
While the EU’s General Data Privacy Regulation (GDPR) doesn’t specifically stipulate that businesses must implement MFA, it does require “appropriate security measures” to protect personal data, and it holds businesses liable for any breach. Because MFA is among the strongest safeguards available to protect data, GDPR compliance practically makes it a necessity. The European Union Agency for Cybersecurity (ENISA) published a list of guidelines when GDPR became law. In it, they specifically advised that any system handling personal data use 2FA.
In addition, the EU mandates Strong Customer Authentication (SCA) for payment service providers, requiring that electronic payments user MFA.
The private sector is quickly recognizing that instituting MFA is critical to protecting data against breaches and staying compliant with data privacy laws. According to Global Industry Analysts' October 2019 report, the 2FA market worldwide is predicted to grow to US$12.1 billion by 2025, with potential growth of 14.3%.
Historically, many businesses have shied away from implementing MFA. For example, a 2018 Experian report found that only 44% of eCommerce businesses implemented MFA, out of concern that any demand for credentials would be a source of friction that might alienate customers and hurt profits.
However, with each new regulation that requires (and therefore normalizes) MFA, the perceived level of friction decreases. In other words, customers are becoming more accustomed to encountering MFA whenever they conduct sensitive transactions, so no individual business that implements it needs to worry about presenting an undue burden on the end-user.
That isn’t to say that businesses (in Australia or otherwise) shouldn’t be thinking about implementing MFA in order to ensure a seamless customer experience. Not every login attempt should require users to get a one-time code; step-up authentication and adaptive authentication tailor MFA requests based on risk.
Furthermore, a good MFA solution is designed to prioritize UX by completing authentication requests in as few steps as possible. Auth0’s Guardian MFA, for instance, lets users authenticate through a simple push notification on their phones.
Auth0 Can Ease the Journey to MFA
The legal requirements, customer expectations, and technological capabilities around MFA are evolving rapidly. Australia’s 2FA requirement for phone porting is just one sign that the prevailing winds are pushing industries toward more secure authentication solutions. In light of this, businesses who have avoided implementing MFA should take this opportunity to reconsider their stance.
Aside from any regulatory mandate, MFA is no longer an inherent source of friction for customers. When you outsource this capability to an authentication partner like Auth0, you can reap the benefits of MFA solutions that are secure and compliant and are as easy on your customers as possible.
For a deeper dive into MFA and the potential implications for your business, please check out our whitepaper When is MFA the right choice?