Passwords and credentials remain the largest source of attack attempts and successful attacks, making them the biggest cybersecurity threat to organizations across all industries. Per Verizon’s 2022 Data Breach Investigations Report, 62% of successful breaches are tied to stolen credentials or phishing.
Password attacks come in many shapes and sizes and have evolved to circumvent counter measures like 2FA and traditional MFA. The most common types of passwords attacks include:
Phishing: The basic social engineering ploy of sending an email to a user and asking them to log in to a mirror site controlled by the attacker. Hackers can also use phishing to extract one-time passwords (OTPs) sent to users as part of multifactor authentication (MFA).
Brute Force: Armed with a user’s email address or account name, the attacker tries multiple versions of a password. Some even go so far as to attempt a whole dictionary.
Credential Stuffing: Once a hacker has secured username and password pairs from other breaches, they run a script that stuffs them into multiple account logins in case a user has used the same credentials elsewhere.
Malware: This involves the installation of a keylogger on a user’s device that records everything they input and sends it directly to the attacker.
Man-in-the-Middle: An attacker positions themselves between the user and the server and intercepts traffic sent. Even encrypted passwords that are stolen can be cracked offline.
The threat from attacks on passwords and traditional password-based MFA has become so significant that the U.S. Cybersecurity Infrastructure and Security Agency (CISA) issued guidance urging all organizations to fully eliminate passwords and deploy phishing-resistant MFA based on FIDO standards. Here we’ll look at the basic steps businesses should take to eliminate passwords from their identity and access management (IAM) processes.
1. Start With a Passwordless Desktop
Many organizations focus their security efforts on their authentication processes for system applications and single sign-on (SSO), and neglect the first login of the day, the desktop. This creates a serious security gap, making it easier for attackers to gain workstation access and use it as an attack path. The first step to eliminate passwords is to deploy a passwordless MFA solution for desktop. This cuts your risk exposure — in fact desktop MFA is required by many cyber insurers — and also helps cut down on the 24 hours employees spend per year entering passwords.
2. Integrating Single Sign-On
The clear next step is to join your passwordless MFA from your desktop to your SSO identity provider. Your SSO provider delivers access to many of your system applications, VPN and data, so a hardened security posture is essential for avoiding a break-once run-everywhere scenario. Remember, your passwordless SSO should not use centrally stored credentials or shared secrets in the verification process, even temporarily.
Decoupling authentication from your identity providers and bringing users directly from a desktop login into their cloud-based SSO creates a seamless and hassle-free login experience. Not only that, but it reduces the number of password replacement tickets for your IT support team, meaning desktop-to-SSO doesn’t just eliminate passwords, but productivity sinks too.
3. Removing OTPs
One of the earliest attempts at MFA was for a user to prove their identity by providing a number or code sent to a registered email or cell number. This can now easily be compromised by attackers through SIM-swapping, malware or dedicated phishing kits. An important step in eliminating passwords is to also roll back the reliance on OTPs. Some applications that haven’t been transitioned to your SSO might still require legacy OTP at this point, but those typically make up less than 10% of an organization’s login footprint.
OTPs are not only insecure, they take up considerable employee time to initiate and complete logins. On top of that, OTP licensing can be quite expensive.
4. Resolving Potential Outliers
After assimilating your SSO and system apps with your passwordless MFA, the next step on the path to eliminating passwords will likely be to focus on legacy applications that still require passwords. The desire for change will become noticeable as passwordless authentication kicks in for other assets, and employees will question why these apps are so much slower to access.
A few options are available for improving this situation, such as adding the apps to your SSO or using your passwordless solution’s SDK to integrate passwordless authentication directly into the applications.
5. Maintaining Positive Processes
The fight to eliminate passwords is made all the more difficult because, despite introducing huge security risks for organizations, many vendors, developers and even internal voices see passwords as a viable authentication solution. This can lead to backsliding on advances or making exceptions for certain situations or users. Once you’re on the path to eliminating passwords, there can and should be no going back.
Eliminate Passwords Today
Passwords are perhaps the single biggest threat to enterprise security; removing them from authentication processes is critical. For a more detailed discussion on the best approach, download our step-by-step guide to going passwordless.
The journey to passwordless begins with the right passwordless MFA solution. It should provide passwordless authentication into desktops, as well as SSOs and web applications, to give users direct seamless authentication from desktop to cloud.
HYPR’s True Passwordless™ MFA solution provides everything you need to eliminate passwords. Leveraging the biometric identifiers on a user’s device to unlock a unique private key means that no passwords or shared secrets are used at the front or back-end. As a fully FIDO Certified solution, HYPR meets all guidelines for phishing-resistant authentication set out by CISA and other agencies. To learn how HYPR can help your organization completely eliminate passwords, talk to one of our security experts today.
*** This is a Security Bloggers Network syndicated blog from HYPR Blog authored by HYPR Team. Read the original post at: https://blog.hypr.com/five-steps-to-eliminate-passwords