Multifactor Authentication and Quantum Computing

This article will explore two technical topics: multifactor authentication (MFA) and quantum computing. Together we will dive into what these technical topics mean and, more importantly, the impact of quantum computing on MFA.  

Defining MFA & Quantum Computing

MFA requires a user to authenticate their identity using two or more factors. An example of this is when you use online banking, your app could ask for your password (factor 1 “something you know”) and then send you a pin code to your phone (factor 2 “something you have”).  Now let's define quantum computing: it is a is a superior form of computing that allows the computer to exist in a state of 1 and 0. That sounds confusing right? Let’s take it step by step - if you give a traditional computer a maze it will try to solve it by trying out each route in turn, this is because they cannot attempt multiple routes at the same time. However, if you give a quantum computer a maze, it can attempt several routes simultaneously. This means that quantum computers think faster and are more efficient. If we put our cybersecurity hats on, what threats could this pose? 

Multi-factor Authentication (MFA)

To understand the significance quantum computing poses to MFA, it is important to understand why cybersecurity professionals, Chief Information Security Officers (CISOs), and organisations have deployed MFA and why this has been viewed as a trusted measure. MFA focuses on three key areas:  something a user knows, something a user has, and something a user is. 

• Something a user knows can be a: password, pin code, secret question, etc. 
• Something a user has can be a: smartphone, RSA (key, USB, etc.) 
• Something a user can be a: fingerprint, facial recognition, voice recognition, etc. 

The last factor we discussed holds some ethical implications. Although they are not directly relevant to this article it is good to be mindful of this.

Now that we understand how extensive MFA is, we can see why organisations have put their trust in it. The threat posed by quantum computing to MFA is not to be taken lightly and signals an era of emerging technology, which will both bolster and hinder what we have traditionally defined as ‘secure’.

Now that we have explored MFA in more detail let’s look at exploring quantum computing in more detail and then contrast the two. 

Quantum Computing

We have looked at defining quantum computing within the context of a maze but let’s take it one step further. This section will use the term ‘algorithm’ when you hear this word think a set of rules. 

Classical computational algorithms are computerised sets of rules that computers use to solve problems, impose restrictions, collect data, etc. Let’s imagine you are baking a cake - the recipe is the algorithm. Quantum computers can use quantum-classical algorithms … that’s a big phrase to digest! 

Let’s go back to our cake analogy: if we throw an electric mixer into the equation, we can incorporate instructions applicable to electric mixers. Quantum classical algorithms can have rules which only work on quantum computers due to the ‘superposition’ of quantum states. If we look back to our maze analogy earlier, we learned that quantum computers can be in a state of 1 and 0 at the same time, this is what is meant by ‘superposition’.

Now that we understand the technical background behind quantum computers better and their capabilities, we are going to look at what sort of threats quantum computers pose to MFA. 

Emerging Risks to Multi-Factor Authentication: Quantum computing 

In the first section of this article, we posed a question at the end, which is ‘quantum computers think faster and are more efficient. If we put our cybersecurity hats on, what threats could this pose?’ We know that quantum computers: think faster, operate faster, and have more complex algorithms. RSA keys are secure cryptographic system that encrypt information end-to-end. If you are a user using MFA and one of those factors is an RSA key, it would be logical to feel secure. However, quantum computers’ supremacy allows them to decrypt cryptographic communication (RSA keys, etc). Traditionally adding additional layers (factors) in MFA provides an additional blanket of security. However, quantum computers can decrypt, solve complex problems, and calculate at a rate unachievable by classical computers. This threatens the entire model of MFA. 

If quantum computing can pose a threat to MFA, surely, we can also harness it to bolster MFA. This is where we see the emergence of Quantum Computing-as-a-Service (QCaaS). This is a service provided by Microsoft, D-Wave, and IBM (amongst others). Currently this service is a research capability. However, as quantum emerges, we will see companies providing security by design powered by QCaaS . It is important to note quantum computers are very expensive, must live in specific conditions (-273.333 Celsius) and are very expensive. This means that when we look at the threat landscape, we are looking at nation-state actors as opposed to your usual hacker. 

We have looked at the threats posed by quantum; however, faster, and more complex computing can also bring new capabilities to climate action, health-tech, education, etc. It is important to look at technology as multi-dimensional as opposed to a solution for all. As a society we must be part of a value system which puts people at the centre of technology.

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.