Passwords can be a major headache for IT managers. A recent Nevis study identified their favourite ways to get on top of the issue: no. 1 among the measures for increasing IT security is defining minimum lengths for passwords (62 per cent), followed by enforcing regular password changes (52 per cent) in second place. End users, i.e. customers and employees, are not entirely innocent either, as the majority of them tend to use password combinations that are not exactly secure. The classics appear on the annually recurring lists of the most popular – and at the same time most insecure – passwords, in which options like “123456”, “password” and the like occupy the inglorious leading positions. Of course, IT admins can exclude such negative examples in the same way that they can exclude passwords that are too short or those without numbers and/or special characters. But this does not even come close to eliminating their problems.
The reason for that is the ever-increasing number of hacker attacks that exploit the weaknesses of the password system. If a password is not supported by additional security measures, a single act of carelessness on the part of the user is often enough to open a gateway for criminal hackers. Two very common types of attack currently in use – which differ drastically in their methodology – are credential stuffing and social engineering.
Credential stuffing is a process in which cybercriminals exploit the tendency of users to use the same password repeatedly for different online services. It’s a mistake with big consequences – after all, millions of logins have been captured in several large data breaches since 2019, such as the ones at Marriott, Equifax and LinkedIn. This has gone hand in hand with a rapid upswing in credential stuffing. By automatically trying out user name/password combinations in various online services, it is possible to rapidly determine whether the captured “key” also fits other locks – and gives the hackers access to other user or email accounts.
Social engineering represents the other methodological extreme: instead of a mass bombardment of username-password combinations and automated trial and error as occurs with credential stuffing, this attack is targeted specifically at selected employees. In this approach, cybercriminals first collect information on company structures and management from social networks. They then try to trick employees into revealing their passwords via fake emails and websites. The victims are always led to believe that they are communicating with a superior or the company’s own IT department. Frequently, the criminals add an element of supposed urgency and haste in their fake messages in order to give the attacked person as little time as possible to think about what is going on or to ask critical questions in the company.
Knight in shining armour? 2FA and MFA
If passwords alone are too vulnerable, they must be supplemented – and what is needed is a method that lets users authenticate themselves beyond any doubt, without hackers also being able to access these identification features. That is the basic idea behind two-factor (2FA) and multi-factor authentication (MFA). Instead of just entering a name and password, the user must also present a physical token – for example, in the form of a smart card with an associated reader – or enter some kind of code that is sent, for example, by text message to a previously registered mobile phone. Time-limited codes can also be issued via the authenticator apps from Google or Microsoft. Authentication can be made even more secure if, instead of two credentials, several can be combined – which is where so-called multi-factor authentication comes into play.
Text messages no longer do the trick
But even authentication with two or more factors does not guarantee invulnerability in terms of data security, as a test by the website Motherboard showed. For example, the Sakari software, which was developed for corporate marketing, has made it possible to send out mass text messages – and any mobile phone number can be stored as the sender. As Sakari also receives the message sent to these numbers, it was possible to intercept the two-factor codes sent by an authentication server via SMS. Even though this security gap has since been closed by mobile phone companies, it reveals the basic vulnerability of any SMS-based system.
Passwordless thanks to biometrics
In light of all this, it is clearly better to rely on an authentication factor in the MFA that hackers cannot easily intercept and at the same time guarantees the highest level of security. This is possible with passwordless authentication. The linchpin of this concept is the biometric sensors that are built into modern smartphones and that enable unambiguous authentication of the user based on their facial features (FACE ID) or fingerprints. The sensitive biometric data never physically leave the device – they are only available locally on the respective device and are stored therein a specially secured chipset known as the Secure Enclave.
Due to the basic nature of biometric features, they offer excellent security and can thus completely replace the use of passwords. This not only enhances the end-to-end security of 2FA and MFA but is also a major boost inconvenience for users compared to other authentication methods. Now they no longer have to remember long passwords or type out columns of numbers; instead, all they need to do is look at the smartphone display or touch the fingerprint sensor.