Passwords as a means of authentication have been around for a long time. Their existence is based on the fundamental premise that it is only the consumer or user who has the secret. And in these past 60 years, passwords have served us well.
But the premise is becoming less and less true.
These days, there are an estimated 20 billion to 40 billion credentials – meaning user ID and password combinations – that are available to criminals in the dark web. These credentials are harvested and exchanged every day, and the number that is accessible to the cyber criminal community is growing.
Indeed, it is no longer just the user who can be in possession of the secret.
Using, not hacking, the key
A common tactic used by cyber criminals is credential stuffing, and it stems from the all-too-human tendency to use the same user ID and password combination across the numerous web sites he or she is using.
This is because remembering specific user ID-password combinations for specific sites are just too difficult to do. The reality is that none of us can remember a hundred passwords, even if we go to a hundred web sites. Why, we struggle remembering five! Thus, what we do is share passwords on different sites – it does not matter if we rarely or frequently use these sites.
But around five years ago, criminals figured out that the credentials they harvest from one site can just as easily be used in another web site. They thought, and correctly, that there is a high probability that users will be using the same combination. They tried it out on scale – and found that they could get a return of anywhere between 1 and 2 percent.
It’s not at all that difficult, either. There are web sites that provide videos on how exactly to do this – you can have only minimal tech skills and still succeed. And because they are using valid credentials, they can perform criminal activity without detection. They did not hack the key. They used the key!
Imagine doing this for millions and millions of records, and generating returns from 1 to 2 percent of this number, and selling these in some sort of store on the dark web. If they are extra-industrious, they can employ other means to increase the success rate to 4 percent.
So if they are able to scrape information, build a database from that information, add other data they can get from multiple sources, they will now have something they can monetize. If they get four or five dollars a record for hundreds of thousands of records…now that’s a lot of money.
All this is fueling the gradual obsolescence of the password – the foundation of authentication for every enterprise.
A CISO’s business
For an enterprise that has thousands of users and consumers with their individual user ID-password combinations, this spells a big problem. A CISO has to worry about replacing the use of passwords with a better authentication method and figuring out how to do that at scale. If the business is a large enterprise, the cost of replacing passwords would run to the hundreds of millions of dollars.
Some might say that multi-factor authentication, which is always better than a single-factor authentication (like a password), is the answer. An example of that is a one-time passcode that is sent to the user’s phone, which the user would in turn type into the interface to gain access.
Still, threat actors can find ingenious ways to intercept that code through spoofing and exploiting vulnerabilities in the carrier infrastructure. In the end, they succeed.
First, change the mindset
To defeat the ingenuity, the good guys have to go beyond the known forms of authentication. This entails challenging the basic premises we IT and security professionals have about authentication in the first place. First, that it is an event with a beginning and an end. Second, that the result is binary – either you get in or you don’t. We have to unlearn these.
Authentication could be a continuous process. It’s not an event, it has neither beginning nor end, and it does not have to have just a binary outcome. It’s continuous because instead of asking the user to do anything, it takes the behavioral attributes of the device that they are using and build a pattern that represents “normal” behavior for using that device.
And then it takes actual behavior and measures it against the pattern. Is there a deviation? If yes, this new method creates a number that represents that deviation and aggregates it across all the attributes that it is capturing, ultimately arriving at something that the application can decide how much access to provide.
We can also take this further and allow the consumer a biometric of its choice: touch ID, face, or combination.
This would improve authentication by eliminating the use of the weakest link – the password. What’s fascinating is that it would improve security and user experience at the same time. Users no longer have to remember their passwords, and we, on behalf on enterprises, no longer have to waste resources resetting them at scale. It will actually cost less.
Friction for the bad guys
In the meantime, what can people do until we get a more effective and safer authentication method that offers better security, better security experience, and lower costs?
The answer is to create friction for the bad guys as much as you can. This means forcing them to move away from techniques that have worked with them in the past and to figure out new techniques to use.
For example, consumers can use a password manager. This allows you to remember just one single password which then allows you to have complex passwords across the multiple websites that you use. Periodically reset your passwords. You can also use a series of characters in a phrase that is meaning for you, but will not be obvious when strung together. For your phone, use a biometric all the time. Because the information is not centrally located, defeating this means the bad guys have to crack the actual device.
Until we are completely able to unlearn what we know about passwords and shift our mindset, the burden remains to be on the individual. Therein lies the challenge.