In today’s digital age, ensuring secure authentication at your organization is more crucial than ever. With the increasing prevalence of cyber attacks, data breaches, and identity theft, it is imperative for businesses to implement robust security measures to protect their sensitive information and assets.
Passwords are still the leading cause of security breaches, and we’ll continue to see this be the case as long as passwords are still the primary form of authentication used by businesses and applications, according to Reed McGinley-Stempel, the co-founder and CEO at Stytch, a platform for authentication and security requirements.
In fact, Verizon found that 80% of hacking-related breaches are linked to passwords in some way. A big cause, according to Chris Niggel, regional chief security officer of the Americas at identity management platform provider Okta, is that the adoption of multifactor authentication (MFA) is still very low. A recent Microsoft study showed that only 22% of Azure Active Directory had strong authentication turned on.
“Employees aren’t compensated on security, they’re compensated on productivity, and MFA traditionally impeded that productivity and organizations were very reluctant to roll that out,” Niggel said. “Now, where we are today with the zero-trust security models, we can actually deploy MFA in ways that don’t negatively impact productivity.”
To account for this, some organizations are starting to require MFA. Starting in March and through the end of 2023, GitHub will gradually begin to require all users who contribute code on GitHub.com to enable one or more forms of two-factor authentication (2FA).
In addition to enforcement, there have been many advancements in the field as of late to secure organizations. One that stands out is the commitment by Apple, Google, and Microsoft to expand support for the FIDO standard and accelerate the availability of passwordless sign-ins in mid-2022.
This allows users to automatically access their FIDO sign-in credentials – also referred to as a passkey – on many of their devices without having to re-enroll every account. It also enables them to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they’re in.
“This is the first time we’ve had cross-device biometrics at our fingertips, which is crucial for improving the appeal and adoption of biometrics as a primary authentication method,” said Stytch’s McGinley-Stempel.
According to McGinley-Stempel, passkeys are an evolution built upon an existing passwordless technology called Web Authentication API or “WebAuthn,” and to understand the promise of passkeys, it’s important to understand where the initial capabilities of WebAuthn technology have fallen short of consumer expectations. The major limitation there was that it couldn’t carry biometrics across devices such as the phone and desktops and that no apps were comfortable offering it outside of a 2FA option.
“To make this tangible, imagine you’re a user signing up for an account with HomeDepot in order to buy paint. You start your search for paint on your mobile device and find a few colors you’re excited about. You create a Home Depot account in order to complete the order. You see a FaceID icon and think “Great! No password needed — I can just use a biometric to sign up,” McKinley-Stempel said.
“A day later, you see the shipping confirmation while checking your email on your laptop, and you realize you’re out of paintbrushes. You go to HomeDepot.com to order a few brushes as well. When it asks you to log in, you click on the same biometric icon you saw in the mobile apps. However, laptops do not support FaceID, so HomeDepot asks you to go through the TouchID flow on your Mac. You enroll your fingerprint, and you receive an error telling you that an account doesn’t exist,” he continued. “You know that’s not right, but you’re not sure what’s gone wrong and you’re also in a hurry. You decide to create a password, enter all of the same information you provided yesterday such as an address, credit card info, etc., and make the purchase with this same account. You’ve now experienced the biggest shortcoming with WebAuthn today — it doesn’t handle cross-device or cross-platform authentication well.”
This led the potential buyer to duplicate work while also creating multiple user accounts for HomeDepot to manage on their side.
Luckily, this new iteration of passkeys can overcome these user challenges and make them a major contender as a preferred primary authentication factor. By enabling biometric authentication to work across all major devices and browsers, passkeys are likely to be a game changer for B2C WebAuthn adoption, according to McKinley-Stempel.
A lot of the best practices surrounding authentication are built around the (Fast Identity Online) FIDO 2 standard, according to Ant Allan, vice president analyst at Gartner. This was built by a consortium of companies including Google, Microsoft, and Intel, with the aim of reducing the reliance on passwords and improving the security of online authentication.
FIDO 2 is based on public-key cryptography and uses a combination of hardware security keys, biometric authentication and passwordless methods to provide secure and easy-to-use authentication solutions.
Building on top of those best practices is a conditional access policy.
“This takes account of device identity, location, and network, and if you see that everything is in line with expectations, you can make the decision to skip the additional factor,” Allan said. “So you log in normally with a password, and only if you’re on an external network, or you’re on a strange machine are you prompted for the additional factor. This has become very popular.”
This has also grown in popularity with organizations that are using Azure AD or similar systems for access to SaaS applications, which will let employees log into things if they’re on the corporate network in the first place. However, if they’re coming in remotely — a greater consideration nowadays — it’s going to ask for a second factor as well although this can be adjusted to just once a week or so.
Using a phone for MFA can be a challenge
Whether it’s SMS-based login, push notifications, or generated codes, there are some constraints to requiring employees to use a phone for authentication purposes.
In one of the more robust phone-based authentication methods, organizations can require employees to have an app for their phone, and if they’re not providing a corporate phone, some fraction of the employees are going to be reluctant to that app on their personal device, according to Allan.
“For good or bad reasons they might misunderstand what it can do,” Allan said. “They’re scared it can track their location or they just object on principle, that this is my device not for work.”
So most organizations will choose the phone-based method by default but typically have a need to support people who can’t or won’t use phones by providing a hardware token. Others just figure it’s more economical to pay a stipend to people to use their phones rather than having to buy tokens and manage the logistics around them.
“Most will use the hardware tokens as an alternative. But in some organizations that can become particularly expensive, particularly if you’re looking at blue-collar workers, you’re speaking to manufacturing firms and such, there tends to be much higher resistance, and particularly if an organization is unionized than the union might just say, ‘No, you’re not going to do this.’ There the hardware token use would be much higher,” Allan explained.
Troubles with bringing FIDO 2 to legacy applications
The integration of legacy products into FIDO 2 is something that isn’t going to be easily solved, according to Allan.
For example, Windows Hello for consumers is FIDO-certified, but since Windows Hello for Business adds a lot of bits that will make it work in legacy Active Directory environments, it’s not a FIDO-certified product anymore.
“When you’ve got legacy infrastructure, which still has compatibility with NTLM, it’s those kinds of things which mess it up,” Allan said. “On the plus side, you also get more control over how you use it. You get more control over how you use it, more control over enrollment and what you force people to use to log in in the first place and we’re seeing a lot of organizations make use of that just to improve user experience.”
However, this leaves an Active Directory password available in the background which is still a source of weakness that the attacker can exploit.
Moving to the cloud can hugely simplify how authentication is managed and that is something that newer and smaller companies have embraced since they were early adopters of cloud applications, according to Allan.
Zero-trust initiatives are almost everywhere
Four years ago, just 16% of companies surveyed said they either have a zero-trust initiative in place or would have one in place in the coming 12–18 months. Today, that number is 97%, according to The State of Zero-Trust Security 2022 from Okta. It also found that zero-trust initiatives are not limited by company size, geographic location, or industry verticals.
For the fourth annual State of Zero Trust report, Okta surveyed 700 security leaders across the globe—more than ever before—to assess where they are on the journey toward a complete zero-trust security posture.
Passwordless solutions support a zero-trust model because they offer more secure factors for verifying someone’s identity, independent of whether or not they have already gained access to certain resources, according to McGinley-Stempel. A zero-trust security posture has many overlapping interests with modern authentication, but they remain slightly different focus areas.
The Okta report found that there is a growing consensus for integrating identity and access management (IAM) with other critical security solutions, a powerful central control point for intelligently governing access among users, devices, data, and networks can be created through an identity-first approach to zero trust.
It found that 80% of all organizations say identity is important to their overall zero-trust security strategy, and an additional 19% go so far as to call identity business critical. That’s a full 99% of organizations naming identity as a major factor in their zero trust strategy.
Zero trust is also met with a more tech-savvy workforce.
Due to the numerous breaches and security incidents we regularly encounter, people are typically more aware of security today, according to McGinley-Stempel. Even though many are proactively attempting to address security threats and vulnerabilities, many do not prioritize authentication and security until there is an imminent risk or an actual incident.
The use of biometrics has gone up to 24% from 21% last year and the category has grown 46% year over year.
“I think a lot of that has to do with just the fact that it’s easy. Now, we’re all used to using things like Touch ID, Face ID, and Windows Hello,” McGinley-Stempel said. “So those capabilities are built into the hardware we’re using, whereas a few years ago, that was really nascent.”
Security professionals should also keep up-to-date on current security threats by going to conferences like AuthenticateCon and Identiverse where they can absorb a lot of the latest trends. They should also find a trusted authentication provider they can rely on.
Security is edging out usability
While at the start of the pandemic, organizations had to lean harder toward usability since their workforce had to get comfortable with working remotely to drive business results, 2022 shifted the priority to security when it comes to authentication, the Okta report found. This shift was
pronounced in APAC and North America, with the EMEA region reporting a more balanced prioritization between usability and security.
This may be due to companies already leveraging pandemic-era investments in usability and now them having to catch up on security debt. Others recognize that by prioritizing stronger security measures, they may gain improved usability at the same time, according to the report.
“This was highlighted by the White House memo last year which talked about phishing-resistant MFA and we’ve seen some responses from Microsoft, Google, and others that added features to these methods to try to mitigate some of those risks sometimes at the expense of user experience,” Gartner’s Allan said.
If you moved from hardware tokens to mobile push on your phone as a way of lowering costs and improving user experience, then you have to implement something else on top of that to mitigate this new MFA fatigue which may erode some of the benefits, Allan added.
However, there is a broader context of tools that have additional intelligence and analytics of different signals to try and block some of the risks and fatigue since MFA shouldn’t be used as the only authentication method.
ChatGPT can help your hacker
A new alarming phenomenon is the role that AI tools are playing in increasing the sophistication of authentication attacks.
“Emerging AI tools are enabling more sophisticated phishing attacks and making more advanced unphishable MFA more important than ever,” Reed McGinley-Stempel, the co-founder and CEO at Stytch said. “New AI-powered chatbots like ChatGPT, which saw over 100 million users within two months of launching, are empowering hackers to be bolder and more prolific.”
Darktrace, a cybersecurity firm, recently released a warning saying it believes that criminals are increasingly using ChatGPT to create more sophisticated scams.
Historically, hackers have used obvious typos in phishing emails to filter for respondents that are more gullible – and thus more likely to unwittingly fall victim to a phishing attempt. That’s because phishing is a predominantly manual method that requires hackers to interact live with their victims,” McGinley-Stempel said. “If conversations can be delegated to a convincing AI chatbot, hackers can target more sophisticated users with little to no human cost, allowing them to widen their net and increase the volume and scope of their attacks through automation.”
He added that as phishing gets more sophisticated, it’s on companies to adopt unphishable MFA practices that render these more sophisticated fraud attempts a moot point.