Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Why User Names and Passwords Are Not Enough

Security Leaders are Finally Recognizing How Big of a Problem Credential Compromises Are

Security Leaders are Finally Recognizing How Big of a Problem Credential Compromises Are

Over the past few years, it’s become evident that attackers are no longer “hacking” to carry out data breaches ― they are simply logging in by exploiting weak, stolen, or otherwise compromised credentials. That’s why this month’s discovery of a massive repository of 773 million email addresses and more than 21 million passwords floating on the Dark Web doesn’t come as a surprise to many security experts. It’s just further proof that identity has become the new security perimeter and the battleground for mitigating cyber-attacks that impersonate legitimate users.

Typically, hackers seek the path of least resistance and target the weakest link in the cyber defense chain ― humans. Consequently, most of today’s data breaches are front-ended by credential harvesting campaigns, followed by credential stuffing attacks. Once inside, hackers can fan out and move laterally across the network, hunting for privileged accounts and credentials that help them gain access to an organization’s most critical infrastructure and sensitive data. 

Forrester Research has estimated that despite continually-increasing cyber security budgets, 80 percent of security breaches involve privileged access abuse and 66% of companies have been breached an average of five or more times. As a result, organizations need to look beyond user names and passwords when it comes to authenticating employees to protect accounts and secure access to valuable data and critical systems. 

The State of Multi-Factor Authentication 

Instead of relying solely on user names and passwords, security professionals should consider adding an additional security layer for their access controls by implementing multi-factor authentication (MFA). In fact, it appears that security leaders are finally recognizing how big of a problem credential compromises are, and they are working to mitigate the risks through stronger forms of authentication. A recent study by Javelin Strategy & Research found that reliance on passwords declined from 56 percent to 47 percent over the past year, as organizations increased their adoption of both traditional MFA and strong authentication.

When it comes to MFA methods, organizations have a wealth of choices but should realize that there is no “one-fits-all” approach. Instead, they should select alternatives that are best aligned with their use cases and represent the lowest friction experience for users to assure broad adoption. The most common MFA options include:

• Security Questions – One or more security questions can be used as the simplest form of authentication using something the user knows.

• One-Time-Passcodes – One-time-passcodes delivered via email or SMS message can be used as a second factor for authentication purposes. However it’s been well documented that SMS-transmitted one-time password tokens (OTPs) are vulnerable to interception (e.g., SIM-swap or mobile number port-out scams). That’s why the National Institute of Standards and Technologies (NIST) in its Special Publication 800-63 Guidelines recommends restricting the use of SMS for an OTP and advises to completely remove OTP via email. The weaknesses that OTP represents was also illustrated by last year’s Reddit hack.

• OATH Tokens -mAn OATH token is a secure one-time-password that can be used for two-factor authentication. The OATH token is sent to a device as a one-time-password to increase security in authentication.

• Phone Call with PIN Verification – A phone call with PIN verification can be used with any phone number available from the enterprise directory, mobile, office, or home phone number. The user just must validate the PIN once they answer the phone.

• Mobile Push Notifications – Mobile push notifications to a mobile authentication app for iOS and Android devices allow for a simple swipe after unlocking the smartphone to verify the authentication.

• FIDO U2F Security Keys – FIDO U2F Security Keys represent a very simple to deploy option that also provides the highest security assurance when combined with the user’s password.

• Smart Cards – Smart Cards can also be used for authentication and provide the highest assurance level once validated and verified against an organization’s corporate directory.

Industry and regulatory standards such as PCI DSS, NIST 800-63, PSD2, and GDPR are requiring security controls that provide higher assurance levels, such as authentication that is based on proof of possession of a cryptographic key using a cryptographic protocol. Nonetheless, organizations are still relying on far less secure authentication methods. According to Javelin Strategy & Research, SMS OTP and security questions remain dominant methods within enterprises despite their documented vulnerabilities; only 5 percent of organizations use cryptographic keys.

The benefits provided by level-3 compliant authentication methods have been demonstrated by Google. According to the company, its more than 85,000 employees have not been victimized by a significant phishing attack since the use of hardware-based, cryptographic authenticators was implemented. 

When adopting multi-factor authentication, organizations should sunset OTP deployments in favor of the other methods outlined above. In addition, it is highly recommended to leverage risk-based authentication, restricting authentication challenges to only the most high-risk events, while avoiding unnecessary burdens for legitimate users.

Since multi-factor authentication requires several elements for identity verification (something you know, something you have, and something you are), it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. It should be standard practice for all organizations. Clearly, though, there’s plenty of work ahead.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...