NCSC taps influencers to make 2FA go viral
- Reference: 1742986813
- News link: https://www.theregister.co.uk/2025/03/26/ncsc_influencers_2fa/
- Source link:
It's the latest effort to improve the nation's cyber resilience as part of the Stop! Think Fraud campaign launched in February 2024 under Rishi Sunak's government, drafting in comedic sketch artists and Instagram personal finance gurus to promote wider uptake of security technologies.
In one [1]video posted by comedy skit account thesquidvids in their typical style, the three social media stars satirize all the hack tropes that TV shows and movies have exhausted over the years.
[2]
In the form of a movie password-hacking sequence, they talk about breaking down a firewall and "obscuring the mainframe using a trojan horse," re-reversing the polarity by "dropping a logic bomb," and successfully "copying the [3]blockchain ."
[4]
[5]
The skit all plays out with colorful code floating around a TV as if done using a crude [6]PowerPoint presentation in the background, all against a backing track of Mission Impossible-esque action-thriller music to really give it that Hollywood-style urgency.
The social media comics then correctly guess an account password (BulldogSlapheadJalfrezi47?), which follows the NCSC's recommended Three Random Words guidance as well as a number and special character, but find themselves stumped when [7]2FA kicks in to protect the account.
[8]
"What, so there's literally nothing we can do?" said one accomplice to the ringleader.
"Nope," he responded. "As long as he's got two-step verification we're not getting any further, I don't think."
"Fair enough. I guess that's the end of the film really."
[9]
The [10]video from edjonesuk sees a team of criminals ("Masters of Mayhem") trying to console their distraught colleague who hasn't "done any frauds" because 2FA keeps getting in the way.
Millennialmoneyuk's [11]version is much drier and simply talks about the dangers of not enabling strong account protections.
The NCSC's efforts to promote cybersecurity and the various ways organizations and consumers can improve their defenses against cyberattacks have previously involved blog posts, podcasts, working with news organizations, and updating their own social media feeds.
[12]The post-quantum cryptography apocalypse will be televised in 10 years, says UK's NCSC
[13]UK industry leaders unleash hurricane-grade scale for cyberattacks
[14]Spending watchdog blasts UK govt over sloth-like progress to shore up IT defenses
[15]Severity of the risk facing the UK is widely underestimated, NCSC annual review warns
An NCSC spokesperson told The Register that the latest push to use influencers was to help amplify the pro-2FA message to wider audiences.
"To boost public awareness about the crucial benefits of enabling two-step verification on their most important accounts, we've partnered with popular social media influencers to amplify this vital message and encourage a wider audience to adopt secure online habits," they said.
The latest round of influencer engagement marks the NCSC's second foray into this type of marketing. It previously used personal finance, family, and comedy influencers in November to spread the not-so-festive cheer about Christmas scams.
We also asked the NCSC how much these influencers were paid for their time, alas it didn't respond.
The NCSC supports the Stop! Think Fraud campaign along with Action Fraud, the UK's cybercrime reporting organization, and the National Crime Agency (NCA), the UK's law enforcement agency for serious and organized crime.
At its launch last year, Stop! Think Fraud was billed as a "ground-breaking step forward" in the fight against fraud, a crime that former security minister Tom Tugendhat said "ruins lives."
The campaign was created to reach a mass audience and is supported by various industries including tech, finance, and retail, as well as victim care agencies and consumer groups. ®
Get our [16]Tech Resources
[1] http://www.instagram.com/reel/DHkzRBTMvVX/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z-Qys2pvd-6awguK-FYfWgAAAkg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2024/03/19/crypto_wallet_providers_urged_to/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-Qys2pvd-6awguK-FYfWgAAAkg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z-Qys2pvd-6awguK-FYfWgAAAkg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/02/25/adsupported_microsoft_office/
[7] https://www.theregister.com/2024/01/11/mandiant_x_account_brute_forced/
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z-Qys2pvd-6awguK-FYfWgAAAkg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z-Qys2pvd-6awguK-FYfWgAAAkg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://www.instagram.com/reel/DHd2ZstorT6/
[11] https://www.instagram.com/p/DHYWjkzqetp/
[12] https://www.theregister.com/2025/03/20/ncsc_post_quantum_cryptogrpahy/
[13] https://www.theregister.com/2025/02/07/uk_cyber_monitoring_centre/
[14] https://www.theregister.com/2025/01/29/nao_blasts_uk_gov_cyber/
[15] https://www.theregister.com/2024/12/03/ncsc_annual_review/
[16] https://whitepapers.theregister.com/
Good to see being promoted but only way it will really change to a large scale is if the websites enforce it, rather than make it optional. And if they're changing things then why not implement passkeys and push people towards those...
Nah, asymmetric public / private keys are the better solution.
Reaching for your stupid mobile just to log in is tedious and masks the real problem... You keep having to "log in".
Imagine you instead simply upload your public key to sites as you create an account. Never need to log in again. Web browsers could make this even more simple by acting as an agent for your private key.
Public-private key authentication
Well, in that case, I have good news for you - this is exactly how WebAuthn works! Whether it's the 2nd factor or the only factor depends on the website, and depending on your platform you might be using a physical security key or (as you suggested!) a platform authenticator like a phone, OS or browser, but in any case, the website just gets a public key and you use your private key to log in, sometimes with as little as a fingerprint scan (again, depending on your desired security level).
Unfortunatley, I'm never going to trust anything touted by an "influencer"
But you're not the target audience, so jog on.
It's 2025 ....
ISO standard for password complexity ?
Of course not. So everyone+dog has their own idea of what is acceptable.
ISO standard for MFA implementation ?
(Spits coffee out) Are you kidding ? We need another century on that.
This is better than nothing. But that's only because we literally have nothing to compare it to.
Different messages from each government department
National Cyber Security Centre (NCSC) --> Promotes cyber security and recommended use of E2EE.
MI5 and UK Plod --> We want backdoors into everything, including E2EE (and you can trust us to only go after terrorists and paedophiles, even though the Regulation of Investigatory Powers Act was used simply to catch people not picking up their dogs shit, as reported by El Reg many moons ago)
Nice way of talking about boring subjects, and on top of that, the first video is really funny!
The only way it could get better is having [1]two people working in tandem on a single keyboard for extra speediness
[1] https://youtu.be/kl6rsi7BEtk?si=hEyZVsXlvzU5TS6O