Last week, Transport for London (TfL) announced that it will be introducing multi-factor authentication (MFA) to its Oyster and contactless users this year. Usernames and passwords, which is the authentication that TfL currently uses for users, have long been the default method of online authentication but have been proven to be ineffective at mitigating modern cyberattacks.
By requiring MFA, TfL is providing extra security for its users when accessing their personal information on the TfL app or website. MFA is a more secure alternative to passwords, requiring a user to provide two or more forms of unique evidence. This is to verify their identity, permit access to their digital accounts or information, and protect their data from being compromised by cyberattacks. Following TfL’s update, when creating a new account or signing into an existing account, online users will be required to set up MFA identity verification. Customers will receive a six-digit code on their mobile device that they must enter via a prompt at each sign-in.
Niall McConachie, regional director (UK & Ireland) at Yubico, welcomes this change by TfL and encourages more UK organisations to offer MFA to their online users:
“It’s encouraging to see that TfL is one step closer in improving online security for its customers. However, it is also important to note that not all MFA is created equal, and some forms of MFA are more secure than others.
“For example, mobile devices certainly offer us ease of access, convenience, and a sense of security – until they are broken, lost, or even stolen. And while SMS, one-time passcodes, and mobile authentication apps are more secure than passwords, these methods are still susceptible to a variety of common cyberattacks. Account takeovers, phishing, and man-in-the-middle attacks are just some of today’s most prolific attacks that can potentially lead to a ransomware attack or data breach later on, which would be devastating for any organisation and its customers.
“Ultimately, mobile devices have countless uses to those who use them, but they are not designed for cybersecurity purposes. The perception that usernames, passwords, or mobile devices are effective and secure authentication methods to private data is incorrect and must change – especially when personal, financial and location data is all up for grabs from hackers.
“With this in mind, TfL and other UK organisations should work towards implementing more modern MFA approaches including passwordless authentication solutions. These offer strong phishing resistance and are proven to stop account takeovers in their tracks.”