When will we get rid of passwords?

Issue 2 2021 Cyber Security

Passwords are inconvenient and create numerous security vulnerabilities, so why can’t we just replace them? The short answer is that there’s no better method. Yet.

Companies are beholden to their users and while most users claim to value security over convenience, their actions speak otherwise. As a case in point, research conducted by Google suggested that even when users have experienced their accounts being taken over, fewer than 10% will adopt multifactor authentication (MFA) because of the associated complexity and friction.

All authentication is a balance of usability, security and deployability. To replace passwords, a new solution must equal passwords on all three fronts and exceed them on at least one. Trading off one set of advantages for another will not be enough to incentivise both organisations and users to switch. So, what can we do today to ease the password-driven bottlenecks and edge ever closer to friction-free nirvana?

A better MFA

A hypothetical solution to our maximisation problem is invisible multifactor authentication (iMFA). Unlike the MFA solutions of today, which typically rely on a password combined with an SMS or one-time password via email or a physical token, iMFA would rely on factors that are invisible to the user. Specifically, it would collect and process the maximum number of effort-free signals. Let’s break that down.

Maximum number. Web authentication is converging on a non-binary authentication model where all available information is considered for each transaction on a best-effort basis. All of the context of a user’s interaction with a website can be used to grant the best visibility into a user’s risk profile.

Effort-free signal collection and processing. Security should be provided on the backend so it doesn’t impede customers. By providing security without customer impact, companies can mitigate threats at minimal cost without introducing friction and upsetting users. For example, most email providers have settled for approaches that classify mail based on known patterns of attacker behaviour. These defences are not free or easy to implement, with large web operators often devoting significant resources towards keeping pace with abuse as it evolves. Yet, this cost is typically far less than any approach requiring users to change behaviour.

iMFA could be implemented with a combination of tools like WebAuthn and behavioural signals. The credential storage and user verification can be securely provided by WebAuthn and the continuous authorisation can be augmented with behavioural signals. The traditional MFA factors  ‘something you know,’ ‘have’ and ‘are’ - come from WebAuthn. And the newest factor, ‘something you do,’ comes from behavioural signals, including new types of biometrics.

Further, generating this variety of signals requires just a single gesture from the user, which is far less effort than entering a password. By combining these methods and constantly re-computing trust through machine learning, we can achieve the rare simultaneous outcome of increased security with decreased user friction.

An interim solution

But iMFA cannot replace passwords overnight. Change-resistant users will need a gradual transition. Websites will still have to incorporate a solution like WebAuthn into their authentication protocols. Without pressing urgency from a specific security threat, many sites will likely take their time adopting this standard. Furthermore, the integration process for a behemoth like Amazon could be extremely complicated, which is likely why there has been initial support from browser companies but not from e-commerce companies or social media sites.

If adoption of a new method will take years, what should businesses do in the meantime? Outlast the attackers by denying them their most precious resource: time. Attackers conducting credential stuffing are usually financially motivated and don’t have infinite capital. If an organisation can significantly increase the time it takes them to monetise their attacks, most cybercriminals will abandon the pursuit in favour of weaker targets.

Introducing more time into the credential stuffing kill chain

A good first step is to make credential spills more difficult to decode. It might seem obvious, but every company needs to upgrade their password security methods. If passwords are being hashed with MD5, organisations need to upgrade to something more secure like bcrypt. This would ensure that when an attacker manages to breach their database, it will take a reasonable amount of time for attackers to crack the compromised credentials before they can even launch an attack.

Organisations should also explore how they can force attackers to develop unique attacks for each target. Suppose a sophisticated attacker has stolen 100 000 decrypted credentials that they are fairly confident no one else has access to, at least for the moment. The attacker knows that 100 000 fresh credentials should lead to, on average, around 1000 account takeovers on a large website.

Now, for such a sophisticated attacker, taking over 1000 retail accounts might not be worth the several weeks of time it would take to develop, test, launch and monetise the attack. However, it would be worth their time to attack multiple targets simultaneously, breaking into tens of thousands of accounts at once. The key would be to find companies that could be attacked using the same software - in other words, targets with similar infrastructure.

As a result, this attacker targets not just one company, but several simultaneously - in this case, a retailer, bank, social media company and ride-hailing mobile app. They have developed an attack that targets the Android version of mobile apps that have been built on the same framework. Their attack is very sophisticated, not re-using any resource more than twice, evading any rate-limiting measure the targeted company has implemented. Yet, while the attacker was too sophisticated to re-use something like an IP address when attacking a single target, they didn’t think they would be caught recycling resources across different targets.

We know this is how attackers think because this exact situation occurred in 2018 to four of Shape’s customers. Because they all operated on a shared defence platform, an attack on one of them was, in effect, an attack on all of them. Because the attacker recycled resources and behavioural patterns across all four companies within a very short time period, Shape was able to very quickly gather enough data to identify the attack. Thus, bundling the attacks actually worked to the attacker’s disadvantage, but only because intelligence was shared across different targets.

Don’t give up

It is impossible to detect 100% of attacks instantaneously 100% of the time. What is possible is to make attacks so costly that attackers give up quickly or even try again. Cybercrime is a business, attacks are organised based on a predictable rate of return. If there is one thing that holds true across the worlds of cybercriminals and businesspeople, it is that time is money.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Dahua’s cybersecurity approach
CCTV Handbook 2021, Dahua Technology South Africa , Cyber Security
The world is getting smarter and everything is going to have an online ID and then connect into a vast network of IoT devices, like a laptop computer, a mobile phone, a connected thermostat and more.

Read more...
Dahua Technology’s cybersecurity approach
Issue 3 2021, Dahua Technology South Africa , CCTV, Surveillance & Remote Monitoring, Cyber Security
With a mindset that emphasises cybersecurity and all the resources it can allocate to establish, carry out and strengthen its cybersecurity approach, Dahua plans to stay positive, open, responsible and constantly improving its cybersecurity.

Read more...
SASE-enriched threat protection
Issue 3 2021 , Cyber Security
MVISION XDR automates security investigation and response processes with actionable threat insights harnessed from deeply integrated cloud data sources, with the ability to proactively stop targeted attacks.

Read more...
Active Adversary Playbook 2021
Issue 3 2021 , Cyber Security
Sophos has released its Active Adversary Playbook 2021, detailing cyber-attacker behaviours and the tools, techniques and procedures Sophos’ frontline threat hunters and incident responders saw in the wild.

Read more...
Passwords are 60, time for them to go
Issue 3 2021 , Access Control & Identity Management, Cyber Security
It has been 60 years since passwords were first used at MIT and if the number of breaches in the news are anything to go by, we are no more adept at managing our passwords than we were in 1961.

Read more...
Top 10 security misperceptions
Issue 3 2021 , Cyber Security, Security Services & Risk Management
The Sophos Rapid Response team has compiled a list of the most commonly held security misperceptions they’ve encountered in the last 12 months while neutralising and investigating cyberattacks in a wide range of organisations.

Read more...
Surveillance business models are changing
CCTV Handbook 2021, Technews Publishing, Eagle Eye Networks, Bosch Building Technologies, Dahua Technology South Africa, Genetec , Editor's Choice, CCTV, Surveillance & Remote Monitoring, Cyber Security, Integrated Solutions, IT infrastructure
The CCTV Handbook round table highlighted the changes that are happening in the surveillance and security world in general, from cloud to costing models and of course, cybersecurity.

Read more...
Building walls is not enough
Issue 3 2021, Vox , Cyber Security
Cybersecurity: businesses are still building walls to defend against nuclear attacks.

Read more...
VMware releases 2021 Global Security Insights Report
Issue 3 2021 , Cyber Security
VMware releases 2021 Global Security Insights Report detailing the surge in cyberattacks targeting the ‘anywhere’ workforce, highlighting opportunity for security leaders to rethink and transform cybersecurity strategies.

Read more...
Awareness training is key to e-mail security
Issue 3 2021 , Cyber Security
Awareness training should be actively deployed to complement organisations’ efforts to secure their e-mail systems, because hackers are increasingly targeting people as security technologies become more effective.

Read more...