Multi-Factor Authentication (MFA) for Ships

🚢 Ship Solutions 🔒 Identity & Access MFA Series 1 Technical Guide

Multi-Factor Authentication (MFA) for Ships: Complete Technical Guide

Implementing phishing-resistant authentication on shipboard OT/IT systems — IACS UR E26 requirements, factor types, OT-safe deployment patterns, maritime constraints, and emerging trends

ShipPaulJobs
ShipPaulJobs Team ✓ Verified
Reviewed & fact-checked by the ShipPaulJobs editorial team · July 2026
PART 1

What is MFA and Why Ships Need It

Multi-Factor Authentication (MFA) requires users to verify their identity using two or more independent authentication factors before accessing a system. The three standard factor categories are: something you know (password, PIN), something you have (hardware token, smart card, mobile device), and something you are (fingerprint, iris scan). MFA significantly reduces account compromise risk because an attacker who obtains a password alone cannot authenticate without the second factor.

Shipboard systems have historically relied on single-factor authentication — passwords, often shared among crew members. This approach was tolerable when ships were isolated systems, but is now a critical vulnerability. Remote access to shipboard OT systems by OEM vendors, shore-based superintendents, and fleet management platforms creates attack paths through which compromised credentials can be used by threat actors to access navigation, propulsion, and cargo systems. Password-only authentication provides no protection against stolen, leaked, or phished credentials.

The challenge for maritime MFA is that OT systems are safety-critical environments where authentication must not introduce latency that affects operational responsiveness. A 30-second MFA workflow is acceptable for shore-side email but may be inappropriate during manoeuvring or for emergency access to engine control systems. Maritime MFA deployments must be designed to meet both security and safety requirements simultaneously.

99.9%
Reduction in Account Compromise
With MFA vs password-only (Microsoft/Google data)
80%+
Maritime Breaches via Stolen Credentials
Industry incident analysis, 2022–2025
E26
4.2 Compliance Requirement
IACS UR E26 mandates access control for all CBS
PART 2

Regulatory Framework & Compliance Requirements

MFA requirements for ships derive from IACS UR E26 access control requirements, IMO cyber risk management guidelines, and flag state regulations. The degree to which MFA is explicitly mandated versus implied as a best practice varies by regulatory instrument — IACS UR E26 is the most specific.

IACS UR E26 4.2 — Access Control

Requires that access to computer-based systems supporting ship operations be restricted to authorised users and authenticated by appropriate means. While MFA is not explicitly named, IACS interpretations consistently treat strong authentication (MFA or hardware token) as the "appropriate means" for privileged access to safety-critical systems. Class societies including DNV, Lloyd's Register, and Bureau Veritas include MFA in their cyber notation audit criteria.

IACS UR E26 6.3 — Remote Access

Remote access to shipboard systems must be authenticated and authorised. Industry guidance from BIMCO, ICS, and major class societies explicitly requires MFA for all remote access connections — including OEM vendor access, shore superintendent connections, and shore SOC connections to onboard monitoring systems. This is the highest-priority MFA deployment scope for most vessel operators.

BIMCO Maritime Cyber Security Guidelines

The BIMCO/ICS Maritime Cyber Security Guidelines (4th edition) explicitly recommend MFA for all remote access, administrative access to shipboard systems, and access to systems deemed "critical" under the vessel's cyber risk assessment. The guidelines are referenced by most major flag states as the baseline for ISM Code cyber compliance.

IMO MSC-FAL.1/Circ.3 — Identify & Protect

The IMO guidelines' "Protect" functional element includes technical measures to defend against identified threats. Authentication controls — including MFA — are explicitly listed as protection measures for systems identified as critical in the ship's cyber risk assessment. Shore-connected systems (VSAT terminals, data sharing platforms) require particular attention to authentication strength.

✅ MFA Compliance Checklist — Class Survey Readiness
✓ MFA on all remote access connections
✓ MFA on administrative/privileged accounts
✓ Individual accounts (no shared credentials)
✓ Factor type documented per system
✓ Phishing-resistant factor for critical systems
✓ Emergency access procedure without MFA delay
✓ Factor device lifecycle management process
✓ MFA bypass logs and alerts configured
PART 3

MFA Factor Types & Maritime Suitability

Not all MFA factor types are equally suitable for shipboard environments. SMS-based OTP (one-time password) requires cellular connectivity — unavailable at sea. Authenticator app TOTP requires a mobile device and works offline, but relies on time synchronisation that can drift. Hardware security keys (FIDO2/WebAuthn) are phishing-resistant, offline-capable, and fast — making them the preferred solution for maritime applications.

Factor Type Works Offline Phishing-Resistant OT Compatible Maritime Rating
FIDO2 Hardware Key✓ Yes✓ Yes✓ High⭐ Preferred
Smart Card / CAC✓ Yes✓ Yes~ Medium🟡 Suitable
TOTP Authenticator App✓ Yes*✗ No✓ High🟡 Acceptable
Push Notification (App)✗ No✗ No~ Partial🔴 Limited
SMS OTP✗ No✗ No✗ No🔴 Not Recommended
Biometric (Fingerprint)✓ Yes✓ Yes✗ Low*🟡 Supplementary

*TOTP apps require time sync — verify NTP is reliable onboard. Biometrics may degrade with dirty or wet hands in engine room environments.

MFA Deployment Zones — Shipboard Priority Matrix
P1 — Critical
All remote access (vendor, shore, SOC) · Privileged/admin accounts on navigation & propulsion systems
P2 — High
OT workstation logins (AMS, PMS, ECDIS admin) · Ship server and network device management
P3 — Medium
Crew IT network access · Cargo planning system logins · Fleet management portal access
PART 4

Maritime Implementation Constraints

OT Protocol Incompatibility

Many OT HMIs and workstations run Windows XP or embedded OS versions that do not support FIDO2, smart card, or modern MFA client software. Legacy authentication infrastructure in these systems may limit MFA to network-level enforcement at the PAM session gateway rather than native integration at the OT application layer.

No Cellular Connectivity at Sea

SMS OTP and push notification MFA require mobile network connectivity. At sea, no cellular signal is available. Any MFA implementation relying on these methods will fail beyond port limits. Shipboard MFA must be based on offline-capable factors: hardware keys, TOTP apps, or smart cards that operate independently of network connectivity.

Lost or Damaged Token at Sea

If a hardware token is lost, damaged, or accidentally left ashore, the affected crew member may be locked out of systems they need to operate. Unlike shore environments where IT can issue a replacement immediately, at sea there may be no spare token available. Maritime MFA deployments require a documented spare token management process, including backup tokens stored securely aboard each vessel.

High Crew Turnover

Maritime crew rotations create a continuous onboarding and offboarding cycle. MFA token issuance, enrolment, and revocation processes must be designed to handle crew changes at each port call — typically every 2–9 months. The shore-based IT team or vessel manager must have a defined process for provisioning and deprovisioning MFA factors that aligns with the crew change schedule.

Engine Room Environmental Factors

Engine room environments involve heat, vibration, noise, grease, and wet hands — conditions that impair biometric readers (fingerprint), touchscreen-based authentication, and can damage mobile device screens. Hardware keys with physical button activation (USB-A or NFC) are more reliable than biometric or touchscreen-dependent factors in machinery space environments.

PART 5

Trends & Market Developments

🔑
FIDO2 Becoming Maritime Standard

FIDO2/WebAuthn hardware security keys are emerging as the maritime MFA standard of choice among leading shipowners. They work offline, are phishing-resistant, fast (<1 second authentication), and require no backend identity provider connectivity for local system access. DNV and Lloyd's Register have both indicated FIDO2 as an accepted strong authentication mechanism in their cyber notation guidance.

🧬
Seaman's Book as Identity Anchor

Emerging concepts in maritime identity management use the seafarer's digital identity — linked to STCW certificates, flag state documents, and crew management systems — as the identity anchor for MFA. Instead of managing separate IT credentials for each vessel, the seafarer's professional digital identity is used to issue MFA credentials, reducing enrolment friction during crew changes.

🌍
Zero Trust Network Access (ZTNA)

ZTNA extends MFA principles to every access request — not just the initial login. Continuous verification of identity, device health, and access context replaces the traditional VPN model. Maritime ZTNA is gaining traction for shore-to-ship connections, where it provides stronger access control than legacy VPN while enabling granular, per-application access rather than full network access.

🤖
Adaptive MFA with Risk-Based Step-Up

Adaptive MFA adjusts authentication requirements based on risk context — requiring only a hardware key for routine access from a known device, but demanding additional factors if access is attempted from an unusual location, at an unusual time, or to a high-risk system. For ships, risk signals might include: remote access origin, time of day relative to port vs sea, and the sensitivity of the target system being accessed.

🎯 Key Takeaways
01

MFA eliminates the single greatest vulnerability in shipboard access control — password-only authentication. Given that over 80% of maritime cyber incidents involve stolen or reused credentials, MFA is the highest-value, lowest-complexity security improvement most vessel operators can deploy.

02

FIDO2 hardware keys are the preferred maritime MFA factor. They satisfy offline operation, phishing resistance, speed, and durability requirements simultaneously. SMS OTP and push notification MFA are not viable at sea and should not be selected as the primary factor for shipboard deployments.

03

Spare token management is not optional. Every vessel should carry spare enrolled hardware keys for each critical role. The crew change process must include MFA token handover as a mandatory step — as routine as handover of bridge watch responsibilities.

04

Deploy MFA for remote access first. Shore-to-ship connections are the highest-risk access pathway and the most straightforward scope for initial MFA deployment — they can be controlled at the network boundary without requiring legacy OT system integration.

ShipPaulJobs
ShipPaulJobs Team ✓ Verified
Maritime Cybersecurity Editorial Team — Identity & Access Security

Continue the Ship Solutions series with Network Security — Maritime OT/IT Firewall, IDS, and NDR deep-dives.

⚓ Join the ShipPaulJobs Community

Join →
Share

Comments