Connect with us

Hi, what are you looking for?


Identity & Access

The Kiss of Death for Passwords: Machine Learning?

Since the introduction of computers, user names and passwords have been the primary method used for access control and authentication. However, as post-mortem analysis of data breaches reveals, compromised credentials have become the primary point of attack for today’s cyber adversaries.

Since the introduction of computers, user names and passwords have been the primary method used for access control and authentication. However, as post-mortem analysis of data breaches reveals, compromised credentials have become the primary point of attack for today’s cyber adversaries. In fact, 81 percent of hacking-related breaches leverage either stolen, default, or weak passwords. A contributing factor for these stats is the fact that users often reuse the same password across multiple accounts and applications. For example, according to a report from TeleSign, 73 percent of users leverage the same password for multiple online accounts. 

This behavior doesn’t differ much in the enterprise environment. Meanwhile, account compromise provides a perfect camouflage for attackers since they look just like legitimate users. When exploiting legitimate credentials — all security analysts see, is regular user activity. This also causes a domino effect and increases the risk of lateral movement by the attacker. 

Multi-Factor Authentication to the Rescue?

To make things more difficult for cyber-attackers, security-minded organizations are supplementing passwords with either two-factor or multi-factor authentication (MFA). In this case, users provide extra information or factors when they access applications, endpoints, or infrastructure. MFA uses a combination of the following factors:

● Something you know (i.e., username, password, PIN, security questions)

● Something you have (soft or hard tokens in different forms and shapes, smart card)

● Something you are (biometric traits like fingerprints, voice recognition, facial scan)

Advertisement. Scroll to continue reading.

Since MFA requires multiple methods for identification, it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. Organizations often make the mistake of limiting MFA usage to application access and only to end users. However, applying MFA for only certain apps, users, or resources, still leaves organizations exposed. Instead, MFA should be implemented across every user (end users, privileged users, contractors, and partners), and every IT resource (cloud and on-premises applications, VPN, endpoints, and servers). This ultimately minimizes weaknesses in the attack chain — and protects against compromised credentials.

While the use of MFA makes a lot of sense for the above-mentioned reasons, adoption is still not at 100%. The main impediment for adoption has been the perceived impact on the productivity and agility of end users. For example, having to manually type in a code that has been transmitted via SMS in addition to the already supplied user name and password is often seen as cumbersome. Technology advancements are removing some of these objections by offering a more user-friendly experience, like eliminating the need to manually enter a one-time password on the endpoint, by enabling the user to simply click a button on their smartphone. Nonetheless, some users still express frustration with this additional step, even if it is relatively quick and simple.

Making Access Controls Invisible: Risk-Based Authentication 

Ultimately, the best security is transparent and non-intrusive. That’s where the use of risk-based authentication and machine learning technology comes into play.

Risk-based authentication uses machine learning to define and enforce access policy, based on user behavior. Through a combination of analytics, machine learning, user profiles, and policy enforcement, access decisions can be made in real time, like eliminating authentication challenges for low risk access, stepping up authentication when risk is higher, or block access entirely. To evaluate the risk of each access request, a machine learning engine must process multiple factors, including: location, browser type, operating system, endpoint device status, user attributes, time of day, unusual recent privilege change, unusual command run, unusual resource accessed, unusual account used, unusual privilege, and more. 

To keep the organization protected, risk-based authentication needs to be applied across all user audiences (end users, privileged users, contractors, etc.) as well as across all resources (e.g., applications, infrastructure). Applying risk-based authentication as part of a mature identity and access strategy to secure applications, devices, data, and infrastructure — both on-premises and in the cloud ― yields the following benefits:

● Stops attacks in real time based on user behavior and risk

● Eases user access based on low risk, and only steps up authentication when risk is high

● Minimizes policy creation and modifications via machine learning, freeing up IT resources for other work

● Improves security policies with access tailored to each individual user’s behavior

Not only does risk-based authentication provide real-time security, but it also flags high-risk events, and elevates them for investigation by security analysts – greatly minimizing the effort required to identify threats across today’s hybrid IT environment. Implementing machine learning in the context of access control can help organizations reduce their reliance on passwords, and potentially get rid of them altogether.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.