Identity has become the last best line of defense and phishing is back on the rise. We can attribute identity-based attacks to at least 80% of the most recent notable attacks. The idea behind all of the recent attacks is to steal the shared secret identifying someone.
In this article, I would like to cover a few of the limitations of our current state of the art of authentication with Multi-Factor Authentication (MFA) and passwords. I’ll then discuss the advantages and disadvantages of FIDO-based passwordless solutions. Last, I will cover what is missing to help us move toward more resistant systems.
Passwords have been around since, well, people needed to go through walls. In WWII, American soldiers used the password response “thunder” to prove their identity, as it was thought enemies could not pronounce the “th” sound.
The idea is simple: if Alice wants to identify Bob, she will ask him to say a passphrase, something they both know. The same is true for secret questions, I ask something only the real person will know.
Unfortunately, nothing is a secret in an internet, Facebook, and TikTok-based world.
In computer science, most machines take the words you typed, make them into a one-way hash, keep it in a big database, and hope for the best. Because we value protecting the data in rest more than in transit, and we assume the data is encrypted in flight, passwords can be easily intercepted with AiTM attacks and simpler methods like asking for them via email.
So why are passwords still around?
They are built into every single OS and system out there
Regulation, regulation, and more regulation.
They are super easy to create, replace and use.
The best-known example of a shared secret is the caesar cipher. In this cipher, you simply move your alphabet a few characters back, such as in the below.
Unfortunately, in the computer era, guessing such ciphers is easy. But the idea is simple. There is a well-known method, but we both have the same key. Key fobs and digital fobs work the same way; they present a number based on time or event and present a number. The algorithm is based on a seed secret.
In most cases, if you know two consecutive codes, you can guess the next number fairly easily. How about we don’t share any secret at all? We can just hit OK on the phone, I can even force entering some verification code. But the idea remains the same: I have an SSO application, it sends a secret to a phone application, and that (as well as other parameters) is used to authenticate.
This seems awesome, so what’s wrong with them? Well, not much besides several big issues:
Not all factors are born equal. While SMS and phone calls have a server-side seed shared secret, the infrastructure that they run on has been compromised now several times.
MFA flood. MFA flood attacks are now very common. These attacks will overwhelm the end user with notifications until they are fatigued enough to accept the prompt. Check out the video below for more detail on this.
Phishing attacks. Attackers are now asking for two consecutive codes as part of their phishing campaigns. The phishing pages are designed to look like a token registration site.
Privacy issues. Most of the effective technologies require installing an application on your phone that tracks usage, location, and other PII.
Provisioning. Assigning a fob (or two if you need backup) to every employee takes time.
Modern passwordless solutions are based on the Fast Identity Online (FIDO) set of standards. In their own words, “ FIDO Authentication provides a simpler user experience with phishing-resistant security. With FIDO Authentication, users sign in with phishing-resistant credentials called passkeys. Passkeys can be synced across devices or bound to a platform or security key and enable password-only logins to be replaced with secure and fast login experiences across websites and apps.”
FIDO Alliance diagram of multi-device vs single-device credentials
We’ve seen plenty of progress. Interoperability means using a standard agreed upon between the hardware vendor, Service Provider, and IDPs, allowing for wide ecosystems and avoiding vendor lockdown between IDP and authenticator provider. The latter allows for better privacy, allowing OS vendors such as Google, Apple, and Microsoft to remove the need to install a dedicated app.
Using PKI (Public Key Infrastructure) also improves privacy as the token is unique to an application and Authenticator pair. It also opens the opportunity for tight device binding without needing a VPN.
Despite all of these advances, many of the old issues remain. You still need to get the fobs in peoples’ hands, and there is no magic. There are last-mile services that include identity verification, but try doing that in a global company with a distributed workforce is tricky.
I recently heard somebody use the analogy of watches to explain how phishing-resistant these new forms of authentication are.
A “water resistant” watch will resist water to a certain degree, but not entirely. In fact, if you submerge some of these watches, you will almost certainly experience water damage. However, if a watch is waterproof, you can submerge, swim, and dive without any water permeating the watch.
Similarly, these new forms of authentication are not phishing-proof. Instead, they are phishing-resistant to varying degrees. Several types of phishing can still be successful:
iCloud Attacks. Passkeys are synced with iCloud Keychain, making them available across all Apple devices. If someone is logged in to your iCloud on their device, they can now use those passkeys. This isn’t specific to Apple, either. This is possible with Google Sync.
AirDrop. Ease of sharing is nice, but with the new ability to share passkeys over AirDrop, the risk of someone else accessing your accounts increases.
Session Hijacking. If attackers target your session cookies and hijack your sessions, the strength of your MFA factor is irrelevant.
This doesn’t mean you shouldn’t shift to phishing-resistant factors: you absolutely should. Just be aware that this will not make you immune to account takeovers. Of all the types of phishing-resistant, passwordless provides the most exciting option for reducing the risk of phishing.
The rise of passwordless shows that we’ve made some great progress on the security of the technology for authentication. This will mean the weak spot now moves over to the human element. Specifically, I’m referring to the provisioning and reset process.
The first issue is a logistical one. How do we get everyone registered? How are those delivered? I just met a customer from the RSA days who had to refresh 250k tokens.
Second, how do you initially verify the identity of the user?
Third, no matter how strong the method, you will need to reset the MFA. Physical factors are great until you leave them in the car or (as you can see below) they break. How do we reset these factors in this case? How do you know that when someone calls and says they lost their phone, it’s them?
Finally, we will need to find ways to deal with the problem population. This will require flexibility in how different users authenticate and provide different solutions that suit their needs. Companies often will enable SMS-based authentication as an option for a small number of users, only to find 50% of the workforce have registered SMS and are using it as their primary method.
There will always be exceptions and excuses, but we need to get 100% of our workforce to adopt phishing-resistant. This won’t happen overnight. I recommend taking a Kaizen approach – incremental improvement adds up to substantial change over time. If you’re stretched on time, then prioritize. Start by enrolling the most targeted accounts and those with access to most data, such as administrators and executives.
At the same time, we must remember that this does not make us infallible, and there will always be attacks that make it through. We need to continue to apply a defense-in-depth approach to identity security and, bit by bit, improve our identity security posture.
Ryan Rowcliffe, CTO of HYPR, recently sat down on the Didi and Lital Podcast to discuss FIDO and Passwordless. Watch the video below!