twitter logo linkedin logo facebook logo

The Challenges of MFA in the Public Sector

Michael Tanaka, CCO

In a series of new, insightful blogs this summer, the CCO at MIRACL, Michael Tanaka, takes time to reflect on some of the challenges organisations face with authentication processes - and considers how MIRACL could be the solution.

In today’s post he considers the role of passwords, why they are still so commonly used - especially in the public sector – and what a cost effective, easily deployed alternative might look like.

What are we replacing?

Passwords still play a part in over 95% of log-ins across the world, yet since the early days of the internet, over 25 years ago, people have understood the fact that passwords are inadequate and cannot secure a world with near infinite interconnections.

Nonetheless they persist because passwords are:

  • Simple: familiar process with few steps
  • Deployable: any service, any device and no companion hardware
  • Affordable: a solution for any budget at any scale

This leads us to the ultimate conclusion that “Usability” is a prerequisite and without it, security is meaningless. After all, what use is the best security in the world if nobody can or wants to use it?

Security is not the problem.

There are plenty of secure alternatives, but they all fail in one or more of the Simplicity, Deployability or Affordability tests.

As an example, RSA Hardware Tokens fail in all three as they are complex to operate, very difficult to deploy and maintain, and are beyond the financial means of most organisations to purchase. Of course, the tier 1 banking industry has managed to live with those shortcomings but there are very few examples outside of that. Imagine the chaos that would ensue if the Department for Work and Pensions (DWP) decided to deploy RSA tokens to all of its clients!

Similarly, the Google Authenticator app scores well in affordability but fails in the other two. It is complex and unwieldy for users and requires a companion mobile to log-in to any other device. The result is that for many organisations it is impractical or impossible to displace passwords with the technologies generally available today.

The sheer numbers!

Let’s take a look at a very common arrangement where you have a limited number of core users, a much larger number of engaged end users and then an even greater number of peripheral users. For example, a university with staff, students and alumni or a government department with staff, dependent clients and the broader public.

For argument’s sake let’s assume those ratios are 1:10:100. So, the staff and their infrastructure may be supporting 10-fold the number clients and 100-fold the number of peripheral users.

Most legacy Multi Factor Authentication (MFA) solutions are targeted towards the enterprise, where high per-user pricing, user friction and support overheads are generally tolerated. That’s no longer practical once you hit the second tier of engaged end-users where costs, deployment challenges and the user’s ability to operate the technology become a real challenge. By the time you hit the third-tier peripheral users (alumni and the broader public in the two examples above) those challenges have become insurmountable obstacles.

Enter MIRACL Trust ID…

Simplicity, deployability and affordability have limited the adoption of traditional MFA to edge cases where the service and users can tolerate high friction, high costs or very specific deployment parameters. As an example, very few industries would be able to justify the user friction and capital expenditure required to adopt hardware tokens - with the Tier 1 banking industry being one of the few exceptions.

This is where MIRACL Trust ID can make a big difference. We replace insecure passwords, expensive SMS texts and complex logins with a secure MFA service that is simple for users, works on any device, allows a direct login without companion hardware, and costs a fraction of an SMS text to operate.

Simplicity: MIRACL’s login uses a single step PIN entry which takes only 2 seconds. This reduction in steps, time and keystrokes results in user error rates of approximately 1/5th - 1/10th that of passwords or other MFA alternatives such as SMS text authentication.

Deployability: As a 100% software solution MIRACL Trust ID can be deployed instantly to an unlimited number of browsers, mobile devices, even smart TVs and any other device that can launch a browser. You can stop worrying about the infinite variety of endpoint devices your staff or customers choose to use now or in the future.

Affordability: Due to the nature of the technology, there are almost no overheads associated with inactive users so we can provide a service at a fraction of the cost of an SMS message on each use. With no infrastructure to maintain, no systems to manage, no license to pay, no user fees and the overall reduction in support costs, your total cost of ownership can be less than the passwords you are replacing.

Security: Whilst MIRACL’s PIN may be a simple knowledge factor, it bears almost no similarities with the common password. MIRACL uses the PIN to disable and enable a customised cryptographic key that works only for that particular identity. Elliptic curve pairing based cryptography, identity based encryption and a zero knowledge proof (ZKP) protocol mean 99.9% of all attacks fail but more importantly, for the user, it is easy, it works and it is secure.

By overcoming all of the issues that have historically limited the adoption of secure authentication technologies, MIRACL Trust ID enables any organisation to deploy strong MFA to every user under their care.

MICHAEL TANAKA, CCO of MIRACL - has over 30-years’ experience presenting complex technologies and concepts to a diverse range of technical and business audiences.

For further information & the latest updates please visit: MIRACL or follow us on social media: Twitter @MIRACL | LinkedIn MIRACL

To reach out to MIRACL about potential partnership opportunities email Kate Ellerton on

Get the MIRACL memo in your inbox

Get in touch to learn more

You can opt out at any time. See our privacy policy here.