Multi-Factor Authentication (MFA) for Ships
What is MFA and Why Ships Need It
Multi-Factor Authentication (MFA) requires users to verify their identity using two or more independent authentication factors before accessing a system. The three standard factor categories are: something you know (password, PIN), something you have (hardware token, smart card, mobile device), and something you are (fingerprint, iris scan). MFA significantly reduces account compromise risk because an attacker who obtains a password alone cannot authenticate without the second factor.
Shipboard systems have historically relied on single-factor authentication — passwords, often shared among crew members. This approach was tolerable when ships were isolated systems, but is now a critical vulnerability. Remote access to shipboard OT systems by OEM vendors, shore-based superintendents, and fleet management platforms creates attack paths through which compromised credentials can be used by threat actors to access navigation, propulsion, and cargo systems. Password-only authentication provides no protection against stolen, leaked, or phished credentials.
The challenge for maritime MFA is that OT systems are safety-critical environments where authentication must not introduce latency that affects operational responsiveness. A 30-second MFA workflow is acceptable for shore-side email but may be inappropriate during manoeuvring or for emergency access to engine control systems. Maritime MFA deployments must be designed to meet both security and safety requirements simultaneously.
Regulatory Framework & Compliance Requirements
MFA requirements for ships derive from IACS UR E26 access control requirements, IMO cyber risk management guidelines, and flag state regulations. The degree to which MFA is explicitly mandated versus implied as a best practice varies by regulatory instrument — IACS UR E26 is the most specific.
Requires that access to computer-based systems supporting ship operations be restricted to authorised users and authenticated by appropriate means. While MFA is not explicitly named, IACS interpretations consistently treat strong authentication (MFA or hardware token) as the "appropriate means" for privileged access to safety-critical systems. Class societies including DNV, Lloyd's Register, and Bureau Veritas include MFA in their cyber notation audit criteria.
Remote access to shipboard systems must be authenticated and authorised. Industry guidance from BIMCO, ICS, and major class societies explicitly requires MFA for all remote access connections — including OEM vendor access, shore superintendent connections, and shore SOC connections to onboard monitoring systems. This is the highest-priority MFA deployment scope for most vessel operators.
The BIMCO/ICS Maritime Cyber Security Guidelines (4th edition) explicitly recommend MFA for all remote access, administrative access to shipboard systems, and access to systems deemed "critical" under the vessel's cyber risk assessment. The guidelines are referenced by most major flag states as the baseline for ISM Code cyber compliance.
The IMO guidelines' "Protect" functional element includes technical measures to defend against identified threats. Authentication controls — including MFA — are explicitly listed as protection measures for systems identified as critical in the ship's cyber risk assessment. Shore-connected systems (VSAT terminals, data sharing platforms) require particular attention to authentication strength.
MFA Factor Types & Maritime Suitability
Not all MFA factor types are equally suitable for shipboard environments. SMS-based OTP (one-time password) requires cellular connectivity — unavailable at sea. Authenticator app TOTP requires a mobile device and works offline, but relies on time synchronisation that can drift. Hardware security keys (FIDO2/WebAuthn) are phishing-resistant, offline-capable, and fast — making them the preferred solution for maritime applications.
| Factor Type | Works Offline | Phishing-Resistant | OT Compatible | Maritime Rating |
|---|---|---|---|---|
| FIDO2 Hardware Key | ✓ Yes | ✓ Yes | ✓ High | ⭐ Preferred |
| Smart Card / CAC | ✓ Yes | ✓ Yes | ~ Medium | 🟡 Suitable |
| TOTP Authenticator App | ✓ Yes* | ✗ No | ✓ High | 🟡 Acceptable |
| Push Notification (App) | ✗ No | ✗ No | ~ Partial | 🔴 Limited |
| SMS OTP | ✗ No | ✗ No | ✗ No | 🔴 Not Recommended |
| Biometric (Fingerprint) | ✓ Yes | ✓ Yes | ✗ Low* | 🟡 Supplementary |
*TOTP apps require time sync — verify NTP is reliable onboard. Biometrics may degrade with dirty or wet hands in engine room environments.
Maritime Implementation Constraints
Many OT HMIs and workstations run Windows XP or embedded OS versions that do not support FIDO2, smart card, or modern MFA client software. Legacy authentication infrastructure in these systems may limit MFA to network-level enforcement at the PAM session gateway rather than native integration at the OT application layer.
SMS OTP and push notification MFA require mobile network connectivity. At sea, no cellular signal is available. Any MFA implementation relying on these methods will fail beyond port limits. Shipboard MFA must be based on offline-capable factors: hardware keys, TOTP apps, or smart cards that operate independently of network connectivity.
If a hardware token is lost, damaged, or accidentally left ashore, the affected crew member may be locked out of systems they need to operate. Unlike shore environments where IT can issue a replacement immediately, at sea there may be no spare token available. Maritime MFA deployments require a documented spare token management process, including backup tokens stored securely aboard each vessel.
Maritime crew rotations create a continuous onboarding and offboarding cycle. MFA token issuance, enrolment, and revocation processes must be designed to handle crew changes at each port call — typically every 2–9 months. The shore-based IT team or vessel manager must have a defined process for provisioning and deprovisioning MFA factors that aligns with the crew change schedule.
Engine room environments involve heat, vibration, noise, grease, and wet hands — conditions that impair biometric readers (fingerprint), touchscreen-based authentication, and can damage mobile device screens. Hardware keys with physical button activation (USB-A or NFC) are more reliable than biometric or touchscreen-dependent factors in machinery space environments.
Trends & Market Developments
FIDO2/WebAuthn hardware security keys are emerging as the maritime MFA standard of choice among leading shipowners. They work offline, are phishing-resistant, fast (<1 second authentication), and require no backend identity provider connectivity for local system access. DNV and Lloyd's Register have both indicated FIDO2 as an accepted strong authentication mechanism in their cyber notation guidance.
Emerging concepts in maritime identity management use the seafarer's digital identity — linked to STCW certificates, flag state documents, and crew management systems — as the identity anchor for MFA. Instead of managing separate IT credentials for each vessel, the seafarer's professional digital identity is used to issue MFA credentials, reducing enrolment friction during crew changes.
ZTNA extends MFA principles to every access request — not just the initial login. Continuous verification of identity, device health, and access context replaces the traditional VPN model. Maritime ZTNA is gaining traction for shore-to-ship connections, where it provides stronger access control than legacy VPN while enabling granular, per-application access rather than full network access.
Adaptive MFA adjusts authentication requirements based on risk context — requiring only a hardware key for routine access from a known device, but demanding additional factors if access is attempted from an unusual location, at an unusual time, or to a high-risk system. For ships, risk signals might include: remote access origin, time of day relative to port vs sea, and the sensitivity of the target system being accessed.
MFA eliminates the single greatest vulnerability in shipboard access control — password-only authentication. Given that over 80% of maritime cyber incidents involve stolen or reused credentials, MFA is the highest-value, lowest-complexity security improvement most vessel operators can deploy.
FIDO2 hardware keys are the preferred maritime MFA factor. They satisfy offline operation, phishing resistance, speed, and durability requirements simultaneously. SMS OTP and push notification MFA are not viable at sea and should not be selected as the primary factor for shipboard deployments.
Spare token management is not optional. Every vessel should carry spare enrolled hardware keys for each critical role. The crew change process must include MFA token handover as a mandatory step — as routine as handover of bridge watch responsibilities.
Deploy MFA for remote access first. Shore-to-ship connections are the highest-risk access pathway and the most straightforward scope for initial MFA deployment — they can be controlled at the network boundary without requiring legacy OT system integration.
Continue the Ship Solutions series with Network Security — Maritime OT/IT Firewall, IDS, and NDR deep-dives.
⚓ Join the ShipPaulJobs Community
Join →
Comments
Post a Comment