The time has come to say farewell to the password. There are no more excuses we can make: an ever-growing mountain of evidence leaves little doubt. Recent high-profile breaches continue to point to stolen credentials as a high value target for attackers. They are extremely valuable on the dark web and a powerful tool for today’s cybercriminals. With them, attackers breach organizations with relative ease and a high level of stealth. According to the 2016 Verizon Data Breach Investigations Report (DBIR), 63 percent of confirmed data breaches involved the use of weak, default or stolen credentials — that’s nearly two-thirds of all data breaches in 2015.
Case in point: several months ago, technology giant Yahoo announced that the names, email addresses, passwords and security question answers of over 500 million users were stolen in a 2014 breach. It is possible that this is the largest data breach in digital history.
Yahoo is not alone.
Earlier this year, 427 million MySpace passwords were posted on the dark web for sale, stolen by the same cybercriminal who was selling the data of more than 164 million LinkedIn users just one week prior. A difficult truth to face: chances are that your credentials are out there in a database controlled by an attacker.
Even a single compromised password is dangerous and can lead to a massive breach. So let’s take a step back and understand how attackers leverage stolen credentials in an attack. There is a lively discussion going on in the security world on the continued relevance of the “attack lifecycle” or “kill chain,” a model describing attacker methodology that was popularized by Lockheed Martin in 2011. The kill chain describes a flow of an initial penetration, to gaining a foothold, then to privilege escalation and reconnaissance and lateral movement, and eventually completing the mission of data exfiltration.
It is my opinion that the kill chain is still relevant. Attackers using stolen credentials simply “short circuit” the kill chain, already having been provided a foothold into the organization. Put more simply, stolen credentials are the easiest way for an attacker to gain the foothold they need. They can immediately jump to lateral movement while attempting to compromise more and more powerful, legitimate credentials. They move freely and silently, completing their mission to steal intellectual property, destroy data or encrypt it for ransom. We have seen this in action many times: there are indications that the breach of the Office of Personnel Management (OPM) was accelerated by credentials stolen from a partner organization. The attackers may have used those credentials to effortlessly move into the OPM network.
Organizations have attempted to mitigate the password risk by implementing stronger password complexity and requiring more frequent password changes. They have also attempted to strengthen the password by adding additional authentication factors, such as a hardware token or a one-time password (OTP) delivered by email or SMS.
While valiant attempts, these approaches miss the mark. They have the unfortunate side effect of skyrocketing helpdesk costs and user frustration. Most important: these approaches are not enough. They cannot deliver the security that organizations need today.
Recent news has shown that traditional two-factor authentication methods, particularly SMS-based one-time passwords, are being circumvented by attackers in well-crafted phishing attacks. In response to this inherent risk, the National Institute of Standards and Technology (NIST) recently announced a proposal to no longer recommend two-factor authentication using SMS-delivered one-time passcodes. NIST’s guidance is spot on — although more secure than a simple password — this approach is not enough.
There is some good news: many industry professionals recognize that it is time to move beyond the password. A recent survey conducted by SecureAuth, issued in conjunction with Wakefield, found that 69 percent of organizations are likely to do away with passwords within the next five years. The prodigious breaches of 2015 and 2016 have had an effect — we understand the need for a paradigm shift in authentication.
Where do we go from here? If passwords are out, what comes next?
The future is passwordless authentication. A passwordless authentication involves the use of a device (something you have) and a biometric (something you are), along with the analysis of multiple risk factors around the transaction.
In the passwordless model, I navigate to my destination and enter my username. A signal is sent to my device to notify me of an authentication in progress that I must accept or deny. I authenticate to my device using a biometric such as a fingerprint. That biometric profile never needs to leave the device. During this process multiple risk factors are being evaluated: my location, my device attributes, the reputation of my IP address or even the way I physically interact with my desktop and device — a technology known as behavioral biometrics.
The reality is that solutions beyond the password are staring us right in the face. Many organizations are already stepping into the passwordless future today. Rightly so: I can think of no technology that would have a larger impact in today’s threat landscape. The evidence is clear and it is driving a high level of innovation in the identity security community.
So long passwords. It’s time to ride into the sunset.
Stephen Cox is the chief security architect for SecureAuth.