For nearly as long as there have been computers, the proverbial key that unlocked the gate to programs, accounts, and data has traditionally been the password. As a reinforcement to this, additional help in the form of knowledge-based authentication, or KBA, has been added. Now, however, passwordless authentication and other mechanisms like biometrics are coming into their own as passwords, and KBA fall out of fashion, and there are good reasons for this.

Convenience Is Decreasing

Password and KBA systems were originally adopted because they were cheap, easy, and comparatively secure. However, of those three qualities, only cheap remains true today. In terms of ease of use, passwords and KBA systems are now becoming more and more cumbersome. For example, most security recommendations now require a password not to be easy to decipher or remember. Best practices recommend a random string of alphanumerics to discourage an automated system from figuring out a password through a process of elimination.

Knowledge-based authentication, which asks “secret questions” or provides hints or secondary forms of access based on knowledge only a user could know, is also being scrutinized. In many cases, the metrics of a KBA, such as the name of a pet, or a mother’s maiden name, may be gleaned from diligent studies of a person on social media, where much of this information has been publicly voluntarily posted.

Vulnerability Is Increasing

A single-password-only security system is becoming one of the least secure measures against cyber attacks. By deciphering just one password, a criminal can potentially gain access to personal information, sensitive financial data, and, worst of all, actual funds. With the constant evolution of techniques such as “phishing” and “man in the middle attacks,” intercepting and using passwords is becoming easier than ever for criminals.

The counter to this of making passwords and KBA systems more difficult is causing them to become inconvenient and even intrusive for users. Polls now indicate that passwords and KBA systems are losing popularity both at the system maintenance level due to vulnerability and the general user level as they become less convenient in the effort to make them more secure.

Passwordless Authentication Is A Solution

The solution to this is the implementation of passwordless authentication systems. As the name suggests, passwordless authentication does away with passwords entirely. Other methods, such as biometrics, ensure that a user always has the proper “key” since all that’s required is a face, fingerprint, or other unique identifiers. 

If you’d like to learn more about multifactor authentication technology and passwordless security, look at Nok Nok’s products here.

The dangers of using a single-password-only system are by now well documented. If a user is lazy and uses simple, easy-to-remember passwords like “1234” or “password,” this is nearly as bad as having no password at all. At the same time, many people can’t remember a random 16 character string of random alphanumeric characters, and forcing them to do so can make a password system slower, more cumbersome, and more inefficient than it was ever intended to be. There are ways to implement security systems that use passwordless authentication.

In some respects, these are faster, more efficient, and more convenient than taking an existing, traditional password system and bolting on more laborious requirements to increase security. Key pairs are one way to make data safer than ever before.

Protecting Data

One of the safest ways to protect data is to encrypt and lock it. Encryption means that data is “rewritten” so that viewing it makes no sense; it appears to be random gibberish. Locking it means that it can’t be accessed by just anyone and requires specific interfaces, namely a key, to be able to open a file and view it. Keys can take many forms, whether that is an additional password, a biometric requirement, such as fingerprint, or for maximum security, the use of a key pair, which adds extra levels of authentication.

A key pair is an incredibly secure form of passwordless authentication for critical data. Users receive two cryptographic keys. One key, known as the “public key,” is selected from a public key cryptography function. The user then receives a “private key,” known only to the user.

Mixing Authentication Technologies

Now, if a user wishes to access data on a device, multiple authentication procedures are required, none of which require passwords. Unlocking a smartphone may require biometrics, such as a fingerprint or facial recognition. However, accessing the data requires the use of the public key. Even then, however, just having the data doesn’t mean being able to read it because it’s still encrypted and indecipherable. The private key is required to decrypt the data and render it once again in usable form.

By requiring two keys, a key pair system eliminates traditional, easier forms of cyber-attack such as phishing or “man in the middle” attacks that require a password. The two key requirement also means that even stealing one key doesn’t grant data access since both are required for access and decryption. 

If you’d like the added peace of mind from using FIDO key pairs to protect your customers, infrastructure and important data, read here to learn more.

Password systems have been used for many years because they were among the earliest and easiest to implement security systems. Unfortunately, as time has passed, these mechanisms, especially single-password systems, have proven inconvenient and highly vulnerable.

This is one of the reasons why the Fast Identity Online Alliance, or FIDO, has moved toward implementing password-free systems like biometrics. This, however, has presented its own set of challenges. More initiatives are now being taken to help overcome these barriers.

The Phone As Lock & Key

One of the challenges to password-free systems has been the inconvenience some experience over needing multiple authentication mechanisms for multiple devices. A password—even if this is ill-advised—can be applied to numerous devices and accounts. In contrast, some password-free mechanisms require peripherals like USB keys that are specific to one device and thus may require multiple peripherals for multiple devices, increasing the challenge and inconvenience of using them.

One approach to streamline this is to have a single device, such as a smartphone, act as a security token for multiple devices. So using the password-free system on a smartphone would grant access to a desktop computer, or a laptop, without needing to log separately into that device.

Multiple Devices

Another approach to make the experience more convenient and seamless is to assign a “private key” to multiple devices. This would mean that a user could use a smartphone, a PC log-in, or a physical USB key or token to authenticate password-free security requirements. Any of these devices would be accepted rather than requiring a specific token or device for one particular account.

These approaches make it faster and easier to use password-free systems, helping to wean users away from more traditional, vulnerable, and less convenient password-based security measures. This diminishes the impact of losing a specific phone or USB security token from granting rightful users access to their data.

Working Toward The Future

However, there are still issues that need to be considered moving forward. Larger tech companies such as Google or Microsoft use their own online “cloud” architecture to synchronize data across multiple devices. While this is convenient, the FIDO alliance must work closely with these tech and service providers to ensure that the stantards-based FIDO-enabled security on such cloud synchronization systems is strong enough to protect private data and access from theft, surveillance, or intrusion. It’s always a balancing act between security and user experience.

If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.

The war in Ukraine has put the entire world on high alert as the aggressor, Russia, extends its hostility not just to Ukraine but to sympathetic nations that try to come to the invaded nation’s aid. Unsurprisingly, as both a traditional rival and prominent sympathizer, the USA is at the top of the list. The hostility, however, comes not in the form of direct attack but cyber warfare.

Even before the sustained automated digital intrusions various US agencies and companies are experiencing now, Russia had already been using state-sponsored agents to test the waters. And on at least one occasion, human negligence provided an alternate route to bypass multifactor authentication safeguards.

Exploiting Vulnerabilities

In May of 2021, a Non-Government Organization experienced a rapid and successful intrusion of their systems despite having multifactor authentication protocols in place. State-sponsored Russian hackers exploited a documented vulnerability known as “PrintNightmare,” a security hole in print spooler software, which coordinates printing jobs among computers on a network. 

The PrintNightmare vulnerability, once exploited, allowed the hackers to spread their control and gain system privileges within the network. Once inside, they could disable multifactor authentication safeguards, edit registries, and browse directories at their leisure.

How It Happened

In this case, true MFA implementation would have prevented the state-sponsored hackers from gaining access to the system. Unfortunately, the hackers took advantage of older systems still in place. The intrusion occurred when the hackers discovered a registered but inactive account that still used password systems set to default.

By using traditional “brute force” methods to figure out the default password through the process of elimination, the hackers eventually gained access to the system without ever having to encounter the much stronger multifactor authentication systems. By using this “back door” of an inactive but still valid user account, they were able to register themselves within the MFA system and then use that as the foundation to move into the rest of the system, find the PrintNightmare vulnerability, and then exploit that to seize control of the network’s functions.

Take Precautions

The exploitation of an in-system vulnerability would never have occurred with more diligence. Allowing inactive accounts to remain valid with default passwords still in place provides a critical loophole to bypass much stronger multifactor authentication systems.

For a more secure system, always be vigilant. When switching to MFA safeguards, disable the older, more vulnerable password accounts and systems. A chain is only as strong as its weakest link.

If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.

As the integration of digital technology with everyday life continues, identity theft has quickly become one of the more popular and commonplace crimes of the 21^st century. Rather than the physical risk of robbing someone, or the legal risk of charges of mugging, identity theft is physically safe while at the same time capable of stealing far more funds than would typically be stored as cash in the average wallet.

Many tactics are used to achieve this, but one of the more effective and efficient ones is a technique known as the “Man In The Middle” attack.

How It Works

The Man In The Middle attack is the digital equivalent of a postal worker opening up mail, reading it for salient details such as credit card number or social insurance number, and then closing up the letter and delivering it to the mailbox. In other words, important data is taken, but the user is never aware that a theft has occurred.

One of the most common ways a Man In The Middle Attack is executed is by a criminal offering a free Wi-Fi spot. People who log in thinking they are taking advantage of free Wi-Fi fail to realize that all of their input, from their names to their passwords, is being monitored and copied by the Wi-Fi provider and decrypted. The criminal then takes that data to log into those accounts and seize control.

More active forms of Man In The Middle attacks include:

• IP Spoofing
• DNS Spoofing
• ARP Spoofing

While decryption techniques can run the gamut from HTTPS spoofing to SSL stripping.

Better Security Is Needed Like Passwordless Authentication

Man in the middle attacks is one of the reasons why improved security, such as passwordless authentication, is an important component of protecting data—a man in the middle attack intercepts and decrypts inputs. However, a passwordless authentication mechanism cannot be replicated by using a physical key with a digital code or biometric authentication. 

Even if a password has been stolen, it still cannot gain a thief access without the other passwordless authentication components, such as the key, or a fingerprint, face, eye, or another biometric requirement. Multi-authentication security methods add extra layers of protection to defeat these more sophisticated forms of crime.

Man in the middle attacks and other forms of cybercriminal intrusions rely on vulnerabilities such as single password authentication systems. However, improved security measures, like FIDO protocols, can help to repel these kinds of cyber security breaches. Read here to learn more. 

Microsoft is one of the largest, oldest technology companies globally, having been an integral part of the computer revolution that started in the 1980s. Okta is a large, successful software company specializing in identity control and user authentication for other companies (known as IAM security software). Despite those impressive pedigrees, both companies have been successfully hacked by an up-and-coming criminal group known as “Lapsus$.” But how did it happen and was multifactor authentication used?

Who Is Lapsus$?

Lapsus$ is a cybercrime group that originally started in Brazil. As with other hacker groups, the online nature of cybercrime means that membership is not strictly limited to the country of origin. They are a recent arrival on the digital crime scene, having begun operations only in December of 2021.

However, they have already been confirmed to have successfully infiltrated the likes of Korean electronics giant Samsun, graphics card manufacturer Nvidia, and even the game developer and publisher Ubisoft. They specialize in going after corporate targets, stealing confidential data, and releasing it unless a ransom is paid.

What Happened To Okta?

Okta immediately informed the affected clients while publicly stating only 2.5% of their total clientele was impacted by the intrusion. After conducting an investigation, they concluded that a support engineer had left a laptop vulnerable for five days, and the laptop was likely hacked during this period.

In this case, it wasn’t a situation where Okta’s internal security failed, so much as negligent security measures by an individual engineer resulted in an account-takeover and access to the compromised system.

What Happened To Microsoft

Microsoft had over 40 GB of data stolen and publicly disclosed online, including source code for software like Cortana and Bing. When Microsoft conducted their investigation, they discovered that a single account was responsible for the data theft, but the account had not been hacked, as proper authentication had granted access.

In this case, the account was compromised by “social engineering,” where hackers deceive a user into voluntarily giving up account details, usually by either posing as an official or installing malware on a USB key that a user thinks contains other types of data so that when it is installed on a system, it seizes control. 

Key-based Multifactor Authentication Makes A Difference

This is why the discipline to implement and use key-based multifactor authentication is so crucial. Stealing a password for a specific device or online account is easy. With this type of multifactor authentication involving key-pairs, additional gates and checks are added so that a password is not enough to grant account access. However, multifactor authentication only works when people have the discipline to follow it and the resilience to take on the extra work of using a second authentication factor – such as SMS-OTP or emailed codes.

If you’re interested in using the FIDO protocol and moving to a key-based passwordless authentication system, that provides the maximum security to prevent phishing and other ways of executing account takeovers read here to learn more.

Large technology companies amass huge amounts of personal data from their users. Because of this, they work hard to assure both customers and shareholders that the data is safe and can’t be easily stolen through the more conventional methods of hacking and intrusion. For two of the largest tech companies globally, Apple and Meta—the parent company of Facebook—this is certainly the case. However, even the largest corporations can sometimes fall for well-implemented deceptions, and that’s exactly what happened in a case of bold social engineering.

The Human Factor

Social engineering refers to attacking the weakest link in most security chains, human error. Social engineering tricks a victim into voluntarily performing an action that would compromise an otherwise secure system by gaining trust, exploiting greed, provoking fear, or other psychological manipulation tactics.

In the case of both Apple and Meta, the social engineering tactic here was for hackers to impersonate law enforcement officers and send emergency data requests. This legitimate legal request overrides the requirements of presenting a subpoena, warrant, or other court-approved documents before needing to comply. The Apple and Meta employees faced with these bogus emergency data requests complied and handed over IP addresses, mailing addresses, and phone numbers.

The Ongoing Challenge

While embarrassing, especially for companies that typically use up-to-date security measures such as biometrics and other forms of cyber security, neither Apple nor Meta have disclosed the full amount of data given to the hackers. But it is a testament to the ambition of criminals that regardless of the cyber security measures taken, some criminals refuse to give up and resort to the most extreme measures to get the data they want.

Biometrics, USB encryption, decryption keys, and other passwordless authentication methods are all incredibly efficient forms of cyber security. However, they are forms of personal protection, giving individuals the security they need to restrict access to their data. There is no accounting for what happens when a social engineering scheme works at the very “top” of the pyramid, with the data technology companies themselves, who can override any security and provide data on request if they are presented with legitimate, verifiable legal requests, or fall prey to believing a request is legitimate without securing more verification from the parties making the request.

Apple’s Change

Apple joined the FIDO Alliance in the Fall of 2020 a new global standard in the world of passwordless authentication. Apple has now authored a multi-device FIDO standard known as “Passkey” which allows a user to use a FIDO private key to access their Apple accounts. If a device is lost or replaced, the FIDO private key can be recovered from another Apple device owned by the user. With Apple joining the other 340 FIDO Alliance members, the global establishment of the FIDO alliance is considered complete.

It’s crucial, however, for every company to take its own cyber security seriously. Your data on your systems and networks need to be protected. If you’re interested in using the FIDO protocol and moving to a passwordless authentication system, read here to learn more.

One of the more recent trends in computing for work has been the arrival of “the could,” or, more accurately, the storage of data and applications online. Rather than have data or software stored and accessed directly on the local storage of a physical device, such as a computer or smartphone, the data or software is instead stored online. A device merely goes to the appropriate platform on the Internet to access the data or functionality. This became crucial in the last two years as the pandemic made working from home and other forms of hybrid work essential for health and safety reasons. However, it also meant that digital crime is now turning its attention to this new frontier which means the need for more cyber security.

The Workload Cyber Security Risk

One of the biggest challenges in cyber security is that identity theft can result in a single individual’s resources being compromised. In other words, if someone’s credit card is stolen, that person’s credit purchases are now controlled by external actors.

However, cyber security for cloud-based computing is even more problematic. A cloud-based work solution allows a person—or criminal—access to their work from anywhere in the world, rather than on a single local machine and hard disk. Now, depending on the workload of that individual and the extent of their administrative privileges, the amount of authority and access of a cyber attack can be devastating. If a single executive has a workload that comprises all the subordinates’ data below, that is access to huge amounts of data. If this is spread across different cloud services such as Microsoft’s Azure, or Amazon Web Services, the risk becomes greater.

Taking Steps

Companies must now consider workload management and protection as well as identity protection. Without protecting a single user’s workload, broader access to other systems and data creates significant cyber security risks.

Companies need to consider better safeguards, such as integrating multifactor authentication systems or biometrics to decrease vulnerability from a single-password security system. For example, the use of digital keys eliminates the danger of secure information needing to be transmitted online at all. However, companies must also carefully assess how their workloads occur, who manages them, and how vulnerable those workloads are to intrusion for a truly secure system.

Cloud-based storage and computing are incredibly efficient and convenient, but they must also be properly protected. To ensure better security for your cloud-based work practices, learn more about Nok Nok’s multifactor authentication technology and passwordless security measures.