In the fight against rising cyberthreats, government leadership plays a crucial role. This is particularly true in Malaysia, where the National Cyber Security Agency (NACSA) became the first government entity in the country to adopt FIDO (Fast IDentity Online) standards and passwordless technology in 2024.
Equally significant is Malaysia’s new Cybersecurity Act 2024, which came into effect on August 26 that year. Among its key provisions are strengthened security mechanisms for National Critical Information Infrastructure (NCII) sector leads and NCII entities, as well as new regulations for cybersecurity service providers.
Given these developments, what significance does passwordless adoption bring into the equation?
Cybersecurity landscape
Malaysia’s cyberthreat landscape is growing at an alarming rate. CyberSecurity Malaysia reported that as of January 2024, there were 28.68 million social media users in the country, representing 83.1% of the total population. Meanwhile, reported cyber incidents increased by 10% from Q2 2024 to Q3 2024. The Cyber999 Incident Response Centre recorded 1,481 incidents in Q2, which rose to 1,623 incidents in Q3.
Among the top cyber incidents recorded in Q3 2024 were fraud, data breaches, and intrusion attempts.
During the FIDO APAC Summit 2024 in Kuala Lumpur, Dato’ Ts Dr Amirudin Abdul Wahab, Chief Executive Officer of CyberSecurity Malaysia, highlighted Malaysia’s struggle in safeguarding personally identifiable information (PII).
“PII can be obtained from websites that have been hacked, and this data can be distributed in open meeting forums. When PII falls into the wrong hands, it can be exploited for identity fraud, phishing attacks, and other criminal activities. Cybercriminals may use PII to impersonate someone, gain unauthorised access to accounts or systems, or commit financial fraud,” he said.
Many cybersecurity incidents in Malaysia — and globally — can be attributed to a persistent problem: passwords.
“A password is something that you know, whereas a passkey is something you have. A password is a shared secret, but it’s not really a secret because it can be stolen off the dark web. It can be stuffed into websites. It can be phished and manipulated,” explained Andrew Shikiar, Executive Director and Chief Marketing Officer of the FIDO Alliance.
What concerns Shikiar even more is that Asia accounted for 31% of global cyber incidents in 2023, and 78% of business leaders in the region reported a data breach in their organisation.
“What we found is that mid-sized companies are particularly at risk, while small businesses, frankly, probably don’t report their data. We know about large enterprises, but the mid-size market is a unique segment that needs to understand the risks of password use — as well as the solutions available to move beyond passwords using security keys or passkeys to protect their employees and networks,” he revealed.
Shikiar added that organisations need to move away from traditional knowledge-based credentialing and adopt a more modern, possession-based approach to authentication.
Collective action
During the summit, Ir Dr Megat Zuhairy Bin Megat Tajuddin, Chief Executive of NACSA, welcomed the passage of the country’s Cybersecurity Act 2024, calling it a crucial milestone in Malaysia’s collective effort to enhance its cyber defences.
“This legislation goes beyond a simple set of regulations. It establishes a robust, comprehensive framework designed to enhance our resilience in an increasingly complex and ever-evolving threat landscape,” he said.
Megat also highlighted a specific provision in the new law that governs cybersecurity service providers: “By regulating and licensing cybersecurity service providers, we aim to instil a culture of accountability and uphold the highest standards across the industry. At its heart, Cybersecurity Act 2024 is not just about protecting systems and data; it’s about preserving the trust that every nation must uphold in our digital infrastructure, particularly in this interconnected world. Trust is the foundation of our economy, social connections, and governments.”
He also stressed the importance of the FIDO Alliance in strengthening regional cooperation to bolster defences against cyberattacks.
“FIDO is not only enhancing security but also fostering greater trust in digital services that are integral to our daily lives,” Megat remarked.
Representing the cybersecurity industry, Edward Law, Chief Executive Officer of SecureMetric, saw the country’s new cybersecurity regulation as a positive step towards improving Malaysia’s digital resilience.
“As an industry player, we always believe that complying with regulatory requirements is the best way to push and promote the adoption of stronger cybersecurity measures. If a vendor urges an organisation to adopt something for its benefit, chances are that the organisation won’t do it, even if it’s proven to be effective — like passkeys. Passkeys have been proven to be faster than any authentication method,” he said.
During the summit, several technology partners showcased how they are leveraging passwordless authentication using FIDO standards. Samsung, for example, demonstrated its passkey feature on Galaxy mobile devices. Hyung Chul Jung, Security Engineering Group Head at Samsung Electronics, reported 7,672,861 cumulative passkey registrations, 1,000,000 average new monthly registrations, and 850,000 average monthly authentications over a seven-month period.
For TikTok, over 100 million users registered for passkeys within a year of implementation, achieving a 97% login success rate and a 17x faster login experience. In the case of Visa, its Visa Payment Passkey feature for cardholder authentication in modern e-commerce led to a 50% drop in fraud incidents.
Way forward
With strong support from both the government and industry for passwordless authentication — and the introduction of clear, unified cybersecurity legislation — there is hope that phishing, data breaches, and ransomware incidents will decline. At the same time, organisations may become more inclined to adopt stronger authentication measures for their platforms and services.
“By embarking on this transformative journey, we position ourselves to unlock unprecedented opportunities, build a resilient legal system, and shape a future where technology acts as a catalyst of positive change. One promising solution to gain traction globally is passwordless authentication. By eliminating the reliance on traditional passwords, we can enhance security for the growing user experience. Embracing passwordless authentication not only strengthens our cybersecurity posture, but also aligns with our vision of a more inclusive, accessible digital society,” CyberSecurity Malaysia’s Amirudin said.
