In this guest article, industry icon Jim Routh offers his unique perspective on user credential security. I hope you find Jim's article below useful.
Back at MIT in 1960, Fernando Corbato developed the password while establishing the Compatible Time-Sharing System (CTSS), enabling file permissions to registered users. Sixty years later, User IDs and passwords have served enterprise security remarkably well.
Credentials [user IDs and password combinations] remain the predominant method for enabling on-line authentication today on the vast majority of web sites, mobile applications and Software as a Service (SaaS) applications. Many cyber professionals advocate for increasing the strength of passwords (more complexity, upper-lower case, special characters, lengthy phrases, etc.) to improve the effectiveness of passwords as an authentication mechanism.
We’re now facing a new reality where the use of passwords as an effective authentication method has changed. The reality for enterprises today is that the use of passwords as an effective authentication method is growing in obsolescence and the primary reason is how they are being applied to multiple web sites and mobile applications.
Most digital consumers have more than a hundred websites, SaaS, and mobile applications that require unique passwords, and remembering the credentials for each website or mobile application is directly related to how often the website or mobile app is used. The enterprise wants frequent interaction, so the opportunities for an increase in brand awareness increases. The digital consumer wants convenience and easy access to their data. Consumers re-use passwords across sites to reduce the number of passwords necessary to remember. The inherent problem is not necessarily with the credential itself but rather how it is being used (or re-used) by consumers across digital assets.
The most effective way to understand this growing obsolescence of credentials is to look at the perspective of a cyber-criminal. Over the past five years, cyber criminals figured out that it is easier to use credentials to hack into systems rather than exploiting vulnerabilities in hardened systems. The tools and credentials available to threat actors enable them to use automation to take over on-line accounts at a scale with few constraints.
Technical skill is no longer a prerequisite for the cyber-criminal who seeks on-line account access using active credentials. Their first step is to acquire credentials (user id and passwords) in bulk through fraud forums on the Dark Web in exchanges with other cyber criminals. There are billions of credentials available. The second step is to use a tool like Sentry MBA (a commercial software product designed to enable individuals to initiate authentication attempts at scale on websites of their choosing) to try out the credentials on active websites. This typically results in a 2% success rate due to the increasing use of the same password across multiple sites by digital consumers.
If a criminal has access to 10,000 of the billions of credentials available on the Dark Web and chooses to use an automated tool for applying the credentials to websites, it can yield ownership of 200 on-line accounts. That enables their access to account information and monetizing it through downstream fraud tactics (aggregating the data and offering it for resale, setting up linkages to money-mule accounts or making fraudulent purchases). This approach is called “credential stuffing” since it is done using credentials in bulk. There are billions of credentials available with few constraints to cyber criminals using active credentials to commit fraud.
Enterprise systems have been using credentials as a primary authentication technique based on the fundamental premise that the enterprise user or consumer is the only one who knows the credentials, thereby making this an effective technique for determining the identity of the user/consumer. All IT professionals were taught that on-line authentication is an event with a beginning and an end. The outcome of the authentication event is always binary, meaning successful access to the system or no success at access. If access is enabled, then the digital user is trusted with the account information and transaction capabilities provided in the application. If authentication fails, then access is not enabled, and the user/consumer is no longer trusted with access to functionality of the application.
As a result, cyber security professionals today consider adding binary authentication techniques to credentials to improve the effectiveness of authentication using several factors most often called Multi-Factor Authentication or MFA. The working premise of using MFA is that if the credentials are compromised, the system can rely on a second factor before granting access to the application. If the user ID and password are compromised, then the second factor will provide the necessary authentication factor. The consumer has to remember how to enter the user ID and password combination while then receiving a one-time password (OTP) sent through text message, for example, and how to enter the OTP in the website log-in page to obtain access. This approach adds friction to the threat actor that was able to obtain the active credentials and results in more effective security and risk management. This approach, however, also adds friction to the digital consumer or enterprise user.
There are alternatives to consider for MFA options, but for most enterprises these options are designed to fit into the construct of an authentication event. Binary authentication techniques can be defeated by threat actors. The addition of a factor makes it more difficult for the threat actor/cyber-criminal while also creating friction for the digital consumer. Cyber professionals believe the consumer friction is simply part of the cost of protecting sensitive consumer data. Cyber professionals consistently consider MFA options that represent trade-off decisions between digital friction for the consumer versus the threat actor based on the sensitivity of the data at risk. Highly sensitive data requires more friction. Less sensitive data requires a lower level of friction. Cyber professionals are asked to “facilitate” the trade-off decision process for determining the tolerance for consumer friction necessary for protecting the level of sensitivity of the on-line data. As a board member, you have an opportunity to encourage management to consider password alternatives that reduce consumer friction while improving risk management.
Enterprises that accept the need for consumer friction and implement an MFA approach recognize that large percentages of on-line consumers choose not to adopt the MFA option and avoid use of the on-line capability. Many try to use the MFA capability and give up during the registration process, opting to simply reset their password on the few occasions when they need to use on-line functionality. The consumer experience of friction is not worth the benefits of on-line functionality to them. In some cases, enterprises see 30-50% of digital consumers avoid the friction of MFA options, opting out of or avoiding account registration.
Estimates of web traffic from criminals attempting authentication for popular consumer digital sites is upwards of 50-90%. That means that if an enterprise is highly successful and cultivates a digital brand for consumers, then the majority of web traffic hitting their load balancers and web application servers is from criminals attempting to steal customer data. A large and growing percentage of an enterprise’s IT infrastructure cost for digital assets is subsidizing criminal web traffic attempting authentication on their systems. The simple economic viability of this model is not sustainable for any enterprise over time. The cost of providing digital capacity to criminals is not in the shareholder’s best interest. Credential theft is the heart of the problem.
An easy way for you to understand how widespread the use of credential stuffing by threat actors is to do a search for the number of YouTube videos available to demonstrate how to use Sentry MBA for credential stuffing (over 200,000). That is an indication of how widespread credential stuffing is as a tactic; there are thousands of videos with the same purpose - to teach criminals how to perform credential stuffing attacks.
A few enterprises that have dealt with the practical challenges of MFA implementation along with the resulting consumer friction are attempting to fundamentally change the rules for enterprise authentication for the next sixty years without relying on credentials. The potential results for these enterprises include:
Better online security with less consumer friction at a lower cost sounds too good to be true. I don’t understand why more enterprises are not applying this model today. It is not because the technology does not exist; there are enterprises that have this in production and have for several years recognizing the benefits.
What I am certain of is that for an enterprise to consider a model that reduces consumer friction while improving security at a lower operating cost, they must come to grips with their ability to un-learn something foundational in the definition of enterprise authentication. IT professionals were taught that authentication was an event with a beginning and an end. The outcome was binary, success in gaining access or not. Adding binary authentication techniques to an authentication event always results in additive consumer friction, and there are always ways to break it for a threat adversary.
Considering authentication as a continuous process instead of an event changes the paradigm and opens up whole new possibilities. For example, an enterprise can capture on-line behavioral attributes from the consumer and develop a pattern of behavior for that specific attribute represented as a number or algorithm (mathematical representation of an event). This becomes a baseline reference for then capturing the attribute data in real-time during a web or mobile session and comparing it to the baseline or pattern. This results in a deviation score for that attribute at that point in time. Combining this with many deviation scores from multiple attributes can be represented by a single aggregated score that determines a confidence level. That confidence level score can be fed to any application in real-time to enable it to take action within specific and pre-determined threshold levels. If the confidence level is high, then full access to the website functionality is provided. If the confidence level dips beyond a pre-determined threshold, then access is restricted. The single confidence score (or deviation score) can be used by multiple applications with different actions or consumer treatment options based on the sensitivity of the data.
All of this can be performed without any action taken by the digital consumer so that they don’t experience friction. Consumers can choose their method of choice for authentication when they purchase and set up their cell phones, laptops or tablets. A standard is used across manufacturers called FIDO 2.0, agreed on by device manufacturers and carriers, enabling iPhone consumers to select authenticators (Touch ID, Face ID) and Android consumers to select fingerprint authentication using the FIDO 2.0 standard. The fingerprint never leaves the device and is protected, but a validation is confirmed using the FIDO 2.0 standard (WebAuthN). This way the digital consumer chooses their authentication approach, and this choice is incorporated into the continuous behavioral based authentication model of the enterprise. Account takeover is no longer feasible since there are no more credentials to be compromised. Digital experience is improved for the consumer since there is no need for passwords. No more help desk calls to reset passwords means lower costs.
The same continuous behavioral based authentication model will work across channels (web, mobile, voice) offering better risk management and consumer digital experience enabling the consumer to have choices of channel and authentication experience.
Today there are many alternatives to using passwords for authentication and many vendors promoting their use of “passwordless authentication.” These types of solutions represent a positive step forward toward a better authentication experience and should be considered within the context of improving the digital consumer and user experience.
Is your enterprise considering a strategy for eliminating credentials today? It may be a good time to ask management why they are not considering evolving their digital authentication strategy to improve the consumer experience with better security and a lower cost.