Cyberattacks have increased in frequency during COVID-19 and now more than ever is the time to consider going passwordless to be more secure. The password is a simple thing that is employed throughout our digital life, enabling us to access myriad online and company resources. However, a survey by Dashlane found that we each have, on average, 150 online accounts. Likely most, if not all, of these accounts, will be protected using at least a password. The password itself is less than hygienic. A Google survey of over 3000 consumers found that over half reuse the same passwords for multiple, if not all accounts, and less than one quarter use a password manager.
As more of us work from home under the specter of the COVID-19 pandemic, we are turning to digital platforms and the like to do our work. These platforms have to fit with robust organization security policies to protect corporate and customer data. Passwords present a liability for both consumer data and sensitive company data too: The cybersecurity statistics demonstrate this all too keenly.
But is there a way to remove this liability? To improve security in remote working situations, during a crisis that is bringing challenges as never seen before?
Proofpoint found that 99% of cyber-attacks require some form of human intervention. All too often, this comes in the form of phishing. The use of a password as a form of first-factor authentication makes phishing an extremely successful cyber-attack technique. The State of the Phish 2020 report, found that 65% of U.S. organizations experienced a successful phishing attack in 2019. And, 60% of U.S. organizations had credentials stolen during a phishing attack.
Password exposure leads to continued attacks, using methods such as credential stuffing to attack multiple accounts. If a spear phishing attack results in stolen credentials, it can mean an entire database is compromised. The 2019 Year End Data Breach Report by Risk Based Security, described the situation vis a vis data theft as being, “the worst year on record”.
Passwords are a problem on multiple fronts. Phishing is a major issue, even if a password follows rules of robust creation, a phishing campaign can still steal that password and use it to log in if this is the only factor used. Password sharing and accidental leaks also exacerbate the security issues around password usage. A survey from SurveyMonkey found that 34% of employees share passwords with coworkers. This is bad enough at work, but at home, this could result in multiple accounts being exposed; a homeworker perhaps inadvertently causing this by writing passwords down and others in the household using them. Or just simply not having an awareness of the security required to protect a password.
COVID-19 has sent us both health and economic challenges. It has also presented enterprises the world over with serious security issues; passwords are a weak link in any digital chain, extended enterprise working conditions creating a larger attack surface. Recently, a change in security thinking has come about. The idea that you should “Never trust, always verify” is an ethos that describes Zero-Trust security. The ideology was originally proposed by analyst firm Forrester and has had recent updates to reflect a more extended and distributed enterprise IT architecture. The basic premise of the discipline is that access to data across the extended IT ecosystem must be verified at all times. A number of organizations are taking a Zero-Trust stance. For example, BeyondCorp, a Google company, applies context-based user identity as an access control measure. Identity and Access Management (IAM) is a key part of this movement to verify users and devices. Identity management is evolving. IAM is no longer contained within the enterprise wall. As cloud computing broke the barriers of the enterprise, IAM had to shift focus. Now identity management can reach out to those at home working through the COVID-19 pandemic. Many new ways of performing identity-based access control have arrived, including Consumer Identity Access Management (CIAM) and cloud IAM.
Passwordless authentication is an authentication method in which a user can log in to a computer system without the entering a password or any other knowledge-based secret. Passwordless authentication relies on a cryptographic key pair – a private and a public key.
Without a robust way to challenge a person at the stage of verification, a system could fail. Passwordless systems are increasingly playing a part in access control across disparate systems that reach into the homes of our workforce. Companies are exploring solutions to replace passwords such as FIDO or “Fast Identity Online”: FIDO is a standard that provides a series of protocols based on Public Key Cryptography (PKI). Using PKI helps to prevent credential loss via phishing, Man-in-the-Middle (MitM), and session hijacking.
The FIDO Alliance supports various authentication options including biometrics, USB keys, Near-Field Communication (NFC), and so on. The FIDO Alliance recently released version 2 of the standard, FIDO2. This new version supports single factor login which is passwordless. It also supports:
Using a combination of a Zero Trust approach along with a FIDO-based solution to passwordless authentication gives an organization security that extends into a user’s home.
The recent COVID-19 lockdown has resulted in increased use of collaboration platforms, including video conferencing. An unanticipated outcome of this has been the phenomenon of “Zoombombing”. This is where malicious persons either find links advertised on social media or use Google to search for URLs containing "Zoom.us". The interlopers then crash a Zoom conference. A particularly nasty Zoombomb was experienced by the IAM industry group, Women in Identity. The group host regular ‘coffee meetings’ for members to help combat COVID-19 lockdown fatigue and to share industry insights. During a recent session, the group experienced a Zoombomb involving a number of people who set about wrecking the meeting and being extremely insulting to the women on the call.
Meetings using collaboration platforms are much needed during lockdown and no doubt after the pandemic has subsided too. No matter what platform is used, access control to that meeting must be protected. A password alone cannot meet the expanding needs of the modern, remote-enabled workplace. Even with additional measures to hide a conference link, passwords can be phished and exposed accidentally. Platforms such as Zoom, and many others too could benefit by enabling the use of a Zero Trust approach coupled with a passwordless mechanism to control access.
A perfect storm has come out of COVID-19 that will change the way we approach security. This consists of a combination of password fatigue, distributed and extended platforms for work purposes, and a home environment that is more complex for IT security to reach and control. To pull our control back in-house, we need to reach our security arms outwards. This can be done with a combination of passwordless authentication and Zero Trust security.