Is Malaysia’s Shift to Passwordless Authentication the Future of Security?

Article Highlights
Off On

Passwordless authentication substitutes traditional passwords with more secure methods, such as passkeys and biometrics, enhancing overall security and aiming to mitigate phishing risks. Passwordless authentication substitutes traditional passwords with more secure methods, such as passkeys and biometrics, enhancing overall security and aiming to mitigate phishing risks. This shift is part of Malaysia’s broader efforts, spearheaded by the National Cyber Security Agency (NACSA), which became the first government body in the country to adopt Fast IDentity Online (FIDO) standards and passwordless technology in 2024.

Malaysia’s Cybersecurity Landscape

The Cybersecurity Act 2024

A crucial development in Malaysia’s cybersecurity landscape is the enactment of the Cybersecurity Act 2024, effective from August 26, 2024. This legislation introduces stringent security measures for National Critical Information Infrastructure (NCII) sector leads and entities, alongside new regulations for cybersecurity service providers. This legislative effort underscores Malaysia’s commitment to strengthening its cyber resilience amidst an escalating threat landscape.

The Cybersecurity Act 2024 not only imposes stringent regulations on critical sectors but also mandates the adoption of state-of-the-art security measures to safeguard national interests. By enforcing these enhanced security standards, the Act aims to mitigate potential risks and improve the resilience of essential services against cyberattacks. This move is a testament to Malaysia’s proactive stance in addressing cybersecurity challenges and its resolve to create a robust digital environment for its citizens.

Rising Cyber Incidents

The urgency for these measures is underscored by cyber incident statistics reported by CyberSecurity Malaysia. As of January 2024, Malaysia had 28.68 million social media users, constituting 83.1% of the total population. During the same period, cyber incidents surged, with a 10% increase in reported cases from Q2 to Q3 2024. In Q3 2024 alone, the Cyber999 Incident Response Centre recorded 1,623 incidents, up from 1,481 in Q2. Predominant types of incidents included fraud, data breaches, and intrusion attempts.

Given the significant rise in cyber incidents, it’s evident that traditional security measures may no longer suffice in protecting against sophisticated threats. The increasing digital footprint, coupled with the rapid evolution of cybercriminal tactics, necessitates a more comprehensive approach to cybersecurity. This context underscores the importance of adopting modern, passwordless authentication methods to enhance security and effectively counter the growing number of cyber threats facing the nation.

The Vulnerability of Traditional Passwords

Risks of Personally Identifiable Information (PII)

Dato’ Ts Dr Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia, spotlighted the vulnerabilities associated with Personally Identifiable Information (PII) during the FIDO APAC Summit 2024 in Kuala Lumpur. He articulated that PII, once obtained through hacked websites, could be misused for identity fraud, phishing attacks, and other criminal activities. The pervasive issue of compromised passwords forms a significant part of these security lapses, leading to unauthorized access and subsequent fraud.

Amirudin highlighted that once PII is compromised, the resulting damage can extend far beyond financial loss, impacting an individual’s privacy and overall security. The ease with which passwords can be stolen through phishing or other cyber tactics exacerbates the risk, making it imperative to consider more secure alternatives. By transitioning to passwordless authentication methods, Malaysia aims to reduce these vulnerabilities and create a safer digital environment for both individuals and organizations.

Global Perspective on Password Insecurity

Andrew Shikiar, Executive Director and Chief Marketing Officer of the FIDO Alliance, emphasized the inherent insecurity of traditional passwords. He explained that passwords, as shared secrets, are susceptible to theft and manipulation via the dark web, phishing, or other cyber tactics. Highlighting the global scale of this issue, Shikiar pointed out that Asia accounted for 31% of global cyber incidents in 2023, with 78% of business leaders in the region reporting data breaches within their organizations. Mid-sized companies, in particular, face elevated risks, necessitating a shift towards possession-based authentication methods such as security keys or passkeys.

The vulnerabilities associated with traditional passwords are a global concern, and the statistics presented by Shikiar underscore the widespread nature of this issue. He stressed the importance of moving away from password-based systems to achieve stronger, more reliable security. The global trend towards passwordless authentication reflects a growing recognition of the need for more secure and efficient methods to protect sensitive information and enhance overall cybersecurity resilience.

Collective Action and Industry Collaboration

Legislative and Regulatory Support

Collective action has been a cornerstone of Malaysia’s approach to bolstering cybersecurity. Ir Dr Megat Zuhairy Bin Megat Tajuddin, Chief Executive of NACSA, lauded the passage of the Cybersecurity Act 2024. He described the legislation as a comprehensive framework designed to fortify the country’s resilience against the continually evolving threat landscape. The new law also regulates cybersecurity service providers to ensure accountability and uphold high industry standards, thereby reinforcing trust in Malaysia’s digital infrastructure.

Megat emphasized that the successful implementation of this legislation requires close collaboration between the government, private sector, and civil society. By fostering a cohesive approach and promoting adherence to stringent security protocols, Malaysia can enhance its defensive capabilities and better protect its digital assets. This coordinated effort is vital in addressing the challenges posed by cyber threats and ensuring a secure and trustworthy digital environment for all stakeholders.

Role of the FIDO Alliance

The FIDO Alliance’s role is crucial in enhancing regional cooperation to withstand cyberattacks. Megat emphasized the alliance’s contribution in strengthening security and fostering trust in integral digital services. Edward Law, CEO of SecureMetric, echoed this sentiment, viewing the new regulation as a positive driver for the adoption of robust cybersecurity measures. Law highlighted the effectiveness of passkeys, noting their faster and more secure nature compared to traditional authentication methods.

FIDO Alliance’s initiatives are pivotal in driving the adoption of more secure authentication methods and promoting best practices across the industry. By collaborating with key stakeholders and advocating for the implementation of FIDO standards, the alliance aims to create a more secure and user-friendly digital ecosystem. The collective efforts of industry leaders, technology providers, and regulatory bodies are instrumental in achieving this vision and ensuring the widespread acceptance of passwordless authentication solutions.

Practical Applications and Industry Adoption

Showcasing Passwordless Authentication

During the FIDO APAC Summit 2024, various technology partners showcased the practical applications of passwordless authentication using FIDO standards. Samsung presented its passkey feature on Galaxy mobile devices, reporting 7,672,861 cumulative registrations with significant monthly activity. TikTok achieved notable success with over 100 million users registering for passkeys within a year, resulting in a high login success rate and a markedly improved login experience. Visa’s Payment Passkey feature also demonstrated significant benefits, including a 50% reduction in fraud incidents for e-commerce transactions.

These practical applications of passwordless authentication highlight not only their benefits but also the growing adoption among major technology players. The success stories of companies like Samsung, TikTok, and Visa illustrate the effectiveness of passkeys in enhancing security while improving user experience. By showcasing these examples, the FIDO APAC Summit 2024 underscored the practical viability and advantages of passwordless authentication in real-world scenarios, encouraging broader acceptance and implementation across various sectors.

Government and Industry Support

In the ongoing fight against the rising threat of cyberattacks, passwordless authentication has become a noteworthy strategy. Recently, Malaysia has highlighted this approach with several significant initiatives. Passwordless authentication replaces traditional passwords with more secure alternatives, such as passkeys and biometric methods, making systems more robust and less susceptible to phishing attacks.

These advancements are part of Malaysia’s comprehensive efforts to enhance national cybersecurity, led by the National Cyber Security Agency (NACSA). Notably, in 2024, NACSA became the first government entity in Malaysia to implement Fast IDentity Online (FIDO) standards and passwordless technologies. This move aims to bolster the nation’s defense against cyber threats by employing cutting-edge authentication methods. Malaysia’s pioneering adoption of FIDO standards reflects a broader push towards modernizing and securing digital identities, highlighting the importance of staying ahead in cybersecurity efforts to protect sensitive information and critical infrastructure.

Explore more