8 minute read
THE PASSWORD PROBLEM – reason for majority of cyber attacks
// Arimo Koivisto
How much do you love your passwords?
Advertisement
How many passwords do you have and are you sure you do not reuse the same password in several accounts? How do you securely store all those passwords and how often do you update them? How do you avoid phishing and frauds which aim to steal your password and username?
Passwords truly are problematic for many reasons. They are painful to use, and they do not offer sufficient security. This is a significant problem; According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work and 81% of all data breaches are successful because attackers can leverage stolen or weak passwords. This typically allows attackers to breach the system or inject ransomware etc. Passwords are a 60-year-old invention.
Phishing attacks are something we are all familiar with. They are more and more sophisticated and as consumers and organisations we must protect ourselves from these attacks. Typically, we must be extremely careful when login into a service and take extra efforts to maintain password security. This requires effort to train people to be careful with their passwords and logins.
Passwords are painful to use and typical second factor code like SMS code makes the login process even more compilated. This is called legacy Multi Factor Authentication (MFA), which relies on two different passwords, the main password and second one-time-password (OTP) like the one you receive by SMS. Many organisations have deployed legacy MFA which is a good first step.
There are already many attack methods against passwords and OTPs. Many banks suffer phishing attacks where attackers try to steal both bank customer´s passwords and OTPs via false login windows. Also, Microsoft accounts are very popular among cyber criminals, and they try to make you login to false Microsoft services to steal your credentials.
Several global data breaches and ransomware attacks were successful because of passwords. The list is very long: Solarwinds, Twitter, Marriot, Colonial Pipeline, Zoom etc. Also, we cannot forget how many consumer services and their user information has been stolen, the main stolen information is user credentials and credit card details. During 2020 more than 20bn credentials have been stolen and many of them end up on the darkweb for sale.
Cybersecurity might already be at the agenda of the boards and executives, and the easiest way to protect company infrastructure and data is to take better care of user identities and login credentials. Given the number of breaches in the news today where passwords were at the root of the problem, many companies are now exploring the benefits of a secure passwordless future. Secure passwordless logins not only bring cost efficiencies and a more frictionless user login experience into the organization but deliver the security that is necessary in the post-pandemic world, when many millions of workers may continue working remotely. Deploying VPNs and virus protection is just not enough anymore. Especially business critical cloud applications hosted by third party service providers are important to protect with passwordless authentication.
Passwordless solution – the FIDO approach
Phishing attacks are successful since passwords are something which can be stolen. In passwordless approach the password is replaced with an asymmetric public private key encryption (PKI), and typically biometrics like user fingerprint or faceID. This makes phishing and other kind of Man-In-The-Middle attacks useless. Passwordless solutions are also very efficient when combating against ransomware attacks.
Passwordless solutions are promoted by FIDO Alliance, fidoalliance.org, which is an open industry association with a focused mission: the authentication standards used to help reduce the world´s over-reliance on passwords. FIDO Alliance have created open technology standards which the biggest technology companies like Microsoft, Google, and Apple support. This means FIDO is and will be an industry standard globally for secure authentication.
Passwordless has several major benefits:
1 It eliminates phishing attacks, and it enables users to login much easier way. The traditional password is a shared secret known by the user and the service. In FIDO approach this is replaced with asymmetric cryptography (PKI) which makes phishing impossible.
2 Also, when combining this cryptography with biometrics we have an easy to use and phishing resistant “password” which you do not have to store in your mind, update frequently, be worried if end up stolen. 99,9% of all attacks against user accounts can be eliminated.
3 Passwordless login also saves workforce time since login is 2/3 faster than with legacy methods. Typically, people use 24-48hrs in a year with just passwords logins.
4 Passwordless reduces IT-support cost significantly. 20-50% of the IT-support costs are due to passwords in those organisations who do not use self-services for the purpose.
Lots of security and usability benefits.
In passwordless solutions login into computers or applications will happen typically with a security key or mobile phone. Both approaches support biometric recognition, and this is the future of authentication. FIDO alliance and all alliance members predictive passwords will finally be replaced during the 21st century. The change has now started in many organisations.
Adaptation of passwordless and FIDO standards
Microsoft has finalised early 2021 extensive support for passwordless login for all Microsoft cloud users. Many passwordless technologies are Microsoft certified and compliant with Microsoft Azure ecosystem. A FIDO security key is a physical USB or NFC device typically with a fingerprint reader. You can carry it easily in your normal keyring. In Microsoft passwordless environment, FIDO key is your “password” and you do not have to ever again renew, remember passwords, or use separate authenticators etc when logging into Microsoft Windows laptop or other MS resources. This is a typical scenario for passwordless usage. Mobile phones can also work as security keys and users can login to computers and applications with mobile facial recognition.
Since 2017, when Google introduced cryptographic FIDO security keys to their 85 000 employee accounts the phishing in the company neutralised. Since then, none of Google´s employees have reported any account take over. Another great example of FIDOs security approach.
Enterprises and organisations use a lot of money and resources on monitoring user identities and login attempts. With FIDOs approach many risks can be eliminated and create cost efficiency also at the monitoring side. Passwordless is a proactive security method, you eliminate certain significant risks completely.
Passwordless authentication is also Zero Trust Architecture compliant solution, which means users are always verified in a strong way. FIDO technology also meets PSD2 requirements, which is the European Union Payment Services Directive, and many banks are also implementing FIDO to meet future requirements. FIDO’s approach ensures Secure Customer Authentication (SCA), which is the next target for banks in EU.
Another FIDO example from the Finance sector is Bank of America which started implementing FIDO for example to their workforce. Also, Mastercard has created FIDO technology-based card-less consumer payment solutions in the US. All this means they do not have to worry about stolen credentials anymore like with traditional credit cards.
In Finland and may other countries we see on a weekly basis different kinds of phishing attacks where attackers try to steal consumers´ web bank credentials with false login windows. All banks who rely on shared secrets like passwords and one-time-passwords are still under these attacks and in risk. Only passwordless approach can stop this kind of security problems.
Rakuten is a Japanese internet giant and part of their digital transformation is that they are targeting to eliminate passwords from all their workforce and customers. This huge project will take 4 years.
Many major leading organisations are already moving towards passwordless and all major technology vendors support FIDO approach. The change towards passwordless approach is happening as we speak.
Summary
Passwordless is one of the main trends in common cyber security area in the following years since the password problem is well known. Passwordless authentication, by its nature, eliminates the problem of using weak passwords. It also offers benefits to users and organisations. For users, it removes the need to remember or type passwords, leading to better user experience and customer experience. For organisations, there’s no longer a need to store passwords, leading to better security, fewer breaches, and lower support costs.
Future is soon hopefully fully passwordless and organisations should start implementing very soon passwordless as a key factor of their security and digitalisation strategy. �
ARIMO KOIVISTO
� Entrepreneur, Cipherpunks Oy � Arimo Koivisto is a long-term security and digitalization professional working as entrepreneur at Cipherpunks Oy. He has been working with security issues of over 20 years in different companies and Finnish Defence Forces, and has great experience from international cybersecurity and digitalization markets and actors. Koivisto has understanding and expertism both national security and enterprise level cybersecurity issues, threats, and solutions.
https://fidoalliance.org Verizon Data Breach Investigations Report 2018 https://aka.ms/dbir2018 Microsoft security blog 2019 https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/ Microsoft Tech Community 2019 https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984 Hypr corporation 2021 https://hypr.com
