All online accounts could require two-step authentication by law under proposals being considered by the Government to combat a surge in fraud and cyber crime.
The Home Office has launched a consultation in which it asks whether two or more factor authentication should be “required for all online accounts by default”.
The system – widely used by banks and big companies – only allows a user to access an account after logging on with their password, and then completing a security process, such as a second digital log-in via a text, a security token or biometric check including facial ID or fingerprint.
The Home Office said it believed new measures were needed to “address the large volume of cyber crimes committed by criminals with a relatively low level of technical sophistication”.
“This work will explore measures to reduce the burden on citizens for cyber security, including the application by organisations of secure-by-default principles to protect user accounts and information,” it said.
This could involve updating data protection laws to ensure all providers of online services and bodies that process personal data exercise “an appropriate and proportionate degree of responsibility for the protection required of the data and access to it”.
However, the Government also wants to avoid discriminating against older people, those in rural areas or the less computer literate.
‘No-one should be inadvertently excluded by enhanced security’
“In considering potential new measures, we are keen to ensure that existing and future proposals meet the needs of all users, not just those with good computer literacy,” said the Home Office.
“No-one should be inadvertently excluded from a platform by enhanced security measures, nor should new security measures unduly interfere with UK citizens’ access to, ease of use, or enjoyment of the internet.”
Other options could be to only require two-step authentication for “some” accounts such as online banking, or for occasional security checks.
The Home Office said it would prefer to secure a voluntary code from industry, but had not ruled out legislation if required. It said extra measures were needed because of a sharp rise in fraud and computer misuse offences.
Of 1.6 million computer misuse offences in the year to March 2022, nearly 1.3 million involved unauthorised access to personal information largely through hacking. This represented a 158 per cent increase compared to 2020.
The ‘level of criminal activity is deeply disturbing’
Priti Patel, the Home Secretary, said: “Such crimes are frequently committed to facilitate further offences, including fraud, extortion, cyber stalking and domestic abuse.
“This level of criminal activity is deeply disturbing, and my Department and the UK Government are committed to tackling it to ensure UK citizens are better protected.
“UK citizens should be able to use the internet without fear that they will fall victim to cyber crime, and their personal accounts or data be exploited by criminals to commit other offences.”