Passwords are the most common type of account authentication. We use them to log into almost every app, website, and device. Unfortunately, they are also the weakest link in cybersecurity. Recent attacks at Cisco Talos, Twilio, and Cloudflare, have all shown that basic account authentication is failing to keep the hackers out.
Passwords are a pain
Passwords have been a pain point for many IT departments since their inception and each year 20% to 50% of all IT helpdesk tickets are for password resets (Gartner). That is time that could be otherwise spent on new IT initiatives. Due to password fatigue, users often choose weak passwords. They also often reuse or only slightly modify old passwords for different accounts (Duo). A 2018 Virginia Tech academic research paper found password reuse was observed among 52% of all users. Many people use the same password for multiple accounts, are susceptible to phishing attacks or breaching methods like keylogging, which means that one password might be all a hacker needs to access your bank account, credit cards, email account, and more.
What about 2FA/MFA?
Multi or two-factor authentication is an important step toward improving the security of your data. Authentication methods such as security codes and passwords alone are not enough to provide sufficient protection. Hackers are also coming up with novel ways to trick users into revealing authentication codes over SMS text message.
For example, Communications giant Twilio confirmed hackers accessed customer data after successfully tricking employees into handing over their corporate login credentials. The attack used SMS phishing messages that purported to come from Twilio’s IT department, suggesting that the employees’ password had expired or that their schedule had changed, and advised the target to log in using a spoofed web address that the attacker controls. While Cisco’s research arm, Talos was breached via a hacker accessing a user’s Google account after extracting the user’s credentials from their web browser. This is the main reason for users not to store passwords in a browser and instead opt for an enterprise-wide password manager instead.
Google go a step further
Google announced that it has added an additional layer to enhance security on its Workspace accounts. Disabling two-step verification, allowing an app to access Google data, changing the account recovery e-mail address or phone number, downloading account data, and changing the name on the account make up the list of “sensitive actions” identified by Google. Google’s Workspace accounts now feature a “Verify it’s You” prompt to address suspicious account activity. Users are now required to provide an additional verification factor, such as a hardware-based or text-based multi-factor authentication (MFA) prompt, to ensure that a requested action is legit and warranted.
Passwordless is the future of authentication
Passwordless authentication establishes a strong assurance of a user’s identity without relying on passwords, allowing users to authenticate using biometrics, security keys or a mobile device. Our authentication partner Duo is innovating toward a passwordless future that balances usability with stronger authentication. Passwordless gives users a frictionless login experience while reducing administrative burden and overall security risks for the enterprise.
Recently, Cloudflare the web security company, announced that even though a hacker had gained entry to a user’s device they failed to steal any important data due to their employees needing a FIDO key to access business critical applications like the network VPN (virtual private networks). FIDO U2F is an open authentication standard that enables internet users to securely access any number of online services with one single security key (USB key device) instantly and with no drivers or client software needed.
Password vulnerabilities may be the writing on the wall for your organisation’s security. Passwords are the weak link between your security policies and your employees’ online identities, and hackers know that. Hence why social engineering (i.e., phishing) is one of the most popular hacking techniques. Time is running out for passwords, and MFA code generators could be next. Now is the time to start testing out new passwordless technology to firm up your organisation’s security controls and stay ahead of hackers.