Mandatory MFA, Biometrics Make Headway in Middle East, Africa

Source: Ground Picture via Shutterstock

National governments and companies in the Middle East and Africa continue to push for more widely available digital identity systems to allow citizens to connect and authenticate to digital government services and commercial services.

In Morocco, the government issued more than 4.6 million electronic identity cards in 2024 and expanded its digital infrastructure with a trusted third-party authentication platform in an effort to offer new services and cut cybercrime rates. More than 7.2 million people are now enrolled in the United Arab Emirates’ official digital ID, known as UAE Pass, and can authenticate to websites. And the National Bank of Egypt has adopted a single sign-on infrastructure that will allow its employees to use a variety of authentication methods, and which will eventually be rolled out to its millions of customers.

The increasing use of multifactor authentication, especially efforts tied to smartphones or biometrics, have had success in the region because — in many cases — organizations have no technical debt to overcome, says Jim Sullivan, senior vice president of strategy and compliance at BIO-Key, which provided the technology for the National Bank of Egypt, as well as the largest bank in South Africa and the government of Nigeria.

“These are greenfield opportunities — it’s tremendous,” he says. “There’s national initiatives that are well funded that are really bringing more biometrics to the fore, more awareness of the power of this technology.”

Better authentication and the use of biometrics has taken off in the Middle East and Africa due to government concerns over cybercrime and fraud and international concerns over the lack of legal identities for more than 540 million people in the region. In Africa, cyber-risk is the No. 1 concern among businesses leaders, with 61% aiming to mitigate the threat in 2025, according to PwC’s “2025 Digital Trust Insights: South Africa and Africa” report. In the Middle East, cyber-risk has fallen to the second greatest concern, behind digital and technology risks and tied with inflation and macroeconomic volatility, with 42% of organizations making mitigation of the cyber risks a priority, according to PwC’s “2025 Digital Trust Insights: Middle East” report.

Despite that, only 19% of companies in Africa and 12% of companies in the Middle East are prioritizing investments in identity and access management (IAM) technologies, according to the PwC reports. Most companies are prioritizing the acquisition of data protection technologies, generative AI systems, and network security in the region, with the Middle East also prioritizing the addition of cyber insurance for the business.

Biometrics Embraced by Mideast, African Markets

A shift to biometrics, however, could change that. The significant reliance of smartphones for Internet access and digital transactions is leading many governments and organizations to adopt biometric-based identity systems and to use biometrics as a second factor of authentication for digital services.

Digital identity platforms, such as UAE Pass in the United Arab Emirates and Nafath in Saudi Arabia, integrate with existing fingerprint and facial-recognition systems and can reduce the reliance on passwords, says Chris Murphy, a managing director with the cybersecurity practice at FTI Consulting in Dubai.

“With mobile devices serving as the primary gateway to digital services, smartphone-based biometric authentication is the most widely used method in public and private sectors,” he says. “Some countries, such as the UAE and Saudi Arabia, are early adopters of passwordless authentication, leveraging AI-based facial recognition and behavioral analytics for seamless and secure identity verification.”

African nations have also rolled out national identity cards based on biometrics. In South Africa, for example, customers can walk into a bank and open an account by using their fingerprint and linking it to the national ID database, which acts as the root of trust, says BIO-Key’s Sullivan.

“After they verify that that person is who they say they are with the Home Affairs Ministry, they can store that fingerprint [in the system],” he says. “From then on, anytime they want to authenticate that user, they just touch a finger. They’ve just now started rolling out the ability to do that without even presenting your card for subsequent business.”

An Easy Upgrade Path

While the links to national identity systems means biometrics make sense, companies do not need to jump feet first into biometric-based authentication, BIO-Key’s Sullivan says. In many cases, enterprise customers start with a single sign-on system that then transitions to biometrics for identity or as a second factor.

“The use case is typically one where you have users that are moving around, and you don’t want them to carry a phone or a token — finance, retail point-of-sale, banking, and manufacturing, where you have workforces that are roving around a manufacturing shop floor,” he says. “We have to accommodate the fact that a lot of companies still use traditional technologies and don’t want to just make a big-bang switch, so we we allow them to sort of start with what they’re doing now … [and] as they start to see the power of having a biometric option, they can evolve to that.”

The push for stronger authentication is not limited to the Middle East and Africa. Worldwide, Microsoft sees 600 million identity attacks per day, of which 99.9% could be blocked with strong identity protections, such as multifactor authentication. Yet adoption has been slow: At the beginning of 2023, for example, Microsoft found that only 28% of the company’s Azure Active Directory customers had turned on strong identity protections, up from 22% in 2022. Starting in February, the company will require MFA for all user accounts accessing the Microsoft 365 admin center, according to the company.

Saudi Arabia has established strong identity standards through its National Cybersecurity Authority’s Essential Cybersecurity Controls (ECC-1:2018), while the UAE has implemented similar requirements through the Information Assurance Regulation (IAR), FTI Consulting’s Murphy says.

Next up: AI-augmented identity platforms, he says. AI-driven authentication solutions, including liveness detection and real-time facial recognition, will likely be part of the mix.

“As digital identity ecosystems expand,” Murphy says, “AI-based authentication and real-time identity verification will become critical components of cybersecurity, ensuring both security and usability across industries.”

About the Author

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.