Are Passwords a Thing of the Past? Getting Ahead of Credential Stuffing Attacks
Password management has always been a significant challenge for IT organizations trying to balance user experience and security. Users complain about having to remember complex passwords, and helpdesks get overwhelmed with password reset trouble tickets. Credential stuffing (the automated use of stolen usernames and passwords to gain access) is becoming a significant challenge for security teams as we wrote in our previous post. For as little as $500, cybercriminals can buy a database of stolen credentials and target multiple websites to gain access, knowing that some users reuse passwords.
With threats such as credential stuffing and efforts by FIDO to reduce the world’s reliance on passwords and backed by heavyweights, including Amazon, Google, and Microsoft, eliminating passwords is gaining momentum. Gartner analyst Ant Allan notes, “By 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.”
Alternatives to Passwords
Today, there are several passwordless options. Many of these alternatives provide better user experience and strong security.
Biometrics or the use of a physiological trait such as our eyes or fingerprint is a popular alternative to passwords because they’re convenient and require minimal effort. And while ease of use is a massive advantage for biometrics, there are also disadvantages. One disadvantage is that biometric identifiers can be stolen. For example, cybercriminals can scan a photo of a person’s Facebook photo and use it to gain access to an organization’s network. There are also privacy concerns as biometrics collects personal information about an identifiable individual.
Push notification authentication
Another user-friendly alternative to passwords is push notification authentication. While typically combined with the use of a password, push notification can be used instead of a password. Push notification authentication requires users to verify their identity using their mobile devices. When users register their accounts with an organization, they link their mobile devices to their user profiles. After that, when users try to login to their account, they submit their username or ID. Next, instead of entering their password, they receive an access request notification on their mobile phone. Users approve the notification with a tap and gain immediate access. In addition to being easy to use, push notifications can also be more secure than other options such as SMS one-time passwords. Passwords sent via SMS are visible even on a locked phone. In comparison, with push notification authentication, a user’s device PIN code, face, or touchID provides an additional layer of protection.
There are disadvantages to push notification. If not properly managed, push notifications can negatively impact a company’s brand by users who view their notifications as annoying and intrusive. Also, push authentication security varies based on the application delivering the notification and the device running the app. Lastly, telecom carriers struggle with another attack called SIM swapping — the attack requires an adversary to impersonate the owner of the mobile device number, calls the telecom carrier and swaps the number to the attacker SIM. The successful execution of the attack provides the attacker with full access to the mobile device as if they were the victim — they can restore applications, receive push notifications and do more.
Smart card and PIN
The combination of a smart card and pin is another option to using passwords. Smart cards have the advantage of storing user identity information in a chip on the phone. Without the proper card reader, cybercriminals are unable to steal user credentials. However, there are disadvantages to smart cards. They’re easy to lose, and card readers carry an additional expense.
Multi-factor authentication or MFA is a system that uses two or more verification methods to authenticate logins and is often used to strengthen passwords. However, MFA can be an alternative to passwords when paired with another type of authentication, such as a biometric-enabled smart card, email, SMS, or tokens. The strength of MFA is dependent upon the second type of authentication. For example, email MFA can be hacked through cloud servers. SIM swapping also applies to MFA.
User behavior will fuel passwordless authentication
Increasingly, access is determined by context – where and when a user logs in as well as device and apps used. According t0 Michael Covington, VP of Product, Wandera in his article in Forbes, “In 2020, context will be king in the world of authentication. This shift in authentication will change the need for passwords.”
UEBA or user and entity behavior analytics use machine analytics and deep learning to capture contextual user information. By creating a baseline for a user’s typical behavior, UEBA solutions can identify abnormal behavior that may be a potential threat.
Exabeam’s UEBA solution can detect identity-based threats for both password and passwordless approaches. Exabeam UEBA ingests user authentication events and rich identity context via API integration with third-party identity and access management (IAM) solutions. These IAM solutions use different authentication technologies, including LDAP, CAC (for smart cards), and MFA (including passwordless MFA) and SAML for SSO.
Exabeam analyzes identity logs and adds meaningful context to enable the detection of suspicious login activities. Exabeam tracks normal and abnormal user behavior such as account switching, remote logins, database logins, and administrative asset logins, and assigns a dynamic risk score. If abnormal behavior is detected, security teams can take immediate action via fully or partially automated playbooks.
With more than 80% of breaches related to stolen or weak passwords, it’s clear that passwordless options are here to stay. It’s not as evident that passwordless options will completely replace passwords. However, whether your organization deploys passwords, passwordless alternatives, or both — using UEBA and adding context helps you reduce identity-related breaches and stay ahead of the bad guys.