Five steps to eliminate passwords
Passwords and credentials are still the biggest source of attack attempts and successful attacks, making them the number one cybersecurity threat to organizations across all industries. Per Verizon’s 2022 Data Break Investigations Report, 62% of successful breaches is linked to stolen credentials or phishing.
Password attacks come in many shapes and sizes and have evolved to circumvent countermeasures such as 2FA and traditional MFA. The most common types of password attacks include:
- Phishing: The basic social engineering trick of sending an email to a user and asking them to log into a mirror website controlled by the attacker. Hackers can also use phishing to extract one-time passwords (OTPs) sent to users as part of multi-factor authentication (MFA).
- Pure strength: Armed with a user’s email address or account name, the attacker tries multiple versions of a password. Some even go so far as to try an entire dictionary.
- Credential filling: Once a hacker has secured username and password pairs from other breaches, they run a script that populates them into multiple account logins in case a user has used the same credentials elsewhere.
- Malware: This involves installing a keylogger on a user’s device that records everything they type and sends it directly to the attacker.
- The man in the middle: An attacker positions himself between the user and the server and intercepts traffic being sent. Even encrypted passwords that are stolen can be cracked offline.
The threat of attacks on passwords and traditional password-based MFA has become so significant that the US The Cybersecurity Infrastructure and Security Agency (CISA) issued guidance encourages all organizations to completely eliminate passwords and deploy phishing-resistant MFA based on FIDO standards. Here, we’ll look at the basic steps companies should take to eliminate passwords from their identity and access management (IAM) processes.
1. Start with a passwordless desktop
Many organizations focus their security efforts on the authentication processes for system applications and single sign-on (SSO), neglecting the first login of the day, the desktop. This creates a serious security hole, making it easier for attackers to gain workstation access and use it as an attack path. The first step to eliminating passwords is to deploy a passwordless desktop MFA solution. This reduces your risk exposure – in fact, desktop MFA is required by many cyber insurance companies – and also helps reduce the 24 hours a year employees spend typing passwords.
2. Integration of Single Sign-On
The obvious next step is to connect the passwordless desktop MFA to the SSO identity provider. Your SSO provider provides access to many of your system applications, VPN and data, so a hardened security posture is essential to avoid a breach scenario once, everywhere. Remember that your passwordless SSO should not use centrally stored credentials or shared secrets in the verification process, even temporarily.
Disconnect authentication from your identity providers and bring users directly from a desktop login to their cloud-based SSO creating a seamless and hassle-free login experience. Not only that, but it reduces the number of password replacement tickets for your IT support team, meaning that desktop-to-SSO not only eliminates passwords, but productivity decreases as well.
3. Removal of OTPs
One of the earliest attempts at MFA was for a user to prove their identity by entering a number or code sent to a registered email or mobile number. This can now be easily compromised by attackers through SIM swapping, malware or dedicated phishing kits. An important step in eliminating passwords is to also roll back the reliance on OTPs. Some applications not migrated to your SSO may still require legacy OTPs at this point, but they typically make up less than 10% of an organization’s login footprint.
OTPs are not only insecure, they take significant time for employees to initiate and complete logins. On top of that, OTP licensing can be quite expensive.
4. Solve potential outliers
After assimilating your SSO and system apps with your passwordless MFA, the next step on the road to eliminating passwords will likely be to focus on legacy applications that still require passwords. The desire for change will become noticeable as passwordless authentication comes in for other assets, and employees will question why these apps are so much slower to access.
A few options are available to improve this situation, such as adding the apps to SSO or using the passwordless solution SDK to integrate passwordless authentication directly into the applications.
5. Maintain positive processes
The battle to eliminate passwords is made all the more difficult because, despite introducing huge security risks to organizations, many vendors, developers, and even internal voices see passwords as a viable authentication solution. This may lead to a decline in progress or make exceptions for certain situations or users. Once you’re on the path to eliminating passwords, there can’t and shouldn’t be any turning back.
Eliminate passwords today
Passwords are perhaps the biggest threat to corporate security; removing them from authentication processes is essential. For a more detailed discussion of the best approach, download our step-by-step guide to go without a password.
The journey to passwordless begins with the right passwordless MFA solution. It will provide passwordless authentication to desktop computers, as well as SSOs and web applications, to provide users with direct seamless authentication from desktop to cloud.
HYPR’s True Passwordless™ MFA solution provides everything you need to eliminate passwords. Leveraging the biometric identifiers on a user’s device to unlock a unique private key means no passwords or shared secrets are used on the front or back end. As a fully FIDO-certified solution, HYPR meets all phishing-resistant authentication guidelines set by CISA and other agencies. To learn how HYPR can help your organization completely eliminate passwords, talk to one of our security experts Today.
*** This is a Security Bloggers Network syndicated blog from the HYPR blog written by the HYPR team. Read the original post at: