Fight Insider Threats with Passwordless Authentication
What Is an Insider Threat?
Formally speaking, an insider threat is any vulnerability, exploit, or potential means of attack created, intentionally or unintentionally, by legitimate users within the organization. These ‘insiders’ may be currently or formerly employed by the attacked organization, or outsiders contracted to perform services and given lawful access by the company. In the context of cybersecurity, insider threat usually relates to the use of privileged accounts in order to abuse resources, interfere with processes, or access sensitive data.
Needless to say, the ramifications of an attacker getting access through or by a trusted insider can be overwhelming for any organization. The dramatic increase in remote access needs due to COVID-19 has made this eventuality even more probable, and more frightening. Managing access privileges, authentication security and user monitoring is becoming a huge task for IT teams serving thousands of employees connecting from just about anywhere and at any time.
This is why security professionals are increasingly worried about this illusive threat and companies in all industries are investing tremendous resources in preventing such attacks.
Types of insider threats
Insider threats come in several varieties, depending on the participating actors and their intents:
- “Turncloaks” – These are malicious individuals who abuse their network privileges and insider knowledge to carry out criminal activities. These insiders might be working for personal monetary gain or in the service of an external attacker.
- “Pawns” – Very often, careless and naive employees unintentionally create system vulnerabilities or share sensitive data. These are the most common type of insider threats falling victim to social engineering schemes, malware, or a poor understanding of security practices.
- “Imposters” – Perhaps most damaging, are compromised credentials used by attackers to gain unauthorized access to company assets. This way attackers can inflict massive damage or perform corporate espionage by legitimate users’ credential for long steches of time before getting blocked or caught.
What Is Passwordless Authentication?
Passwordless authentication is a growingly popular method of verifying identities without requiring passwords or other memorized information. It is based on a secure combination of ‘possession factors’ and ‘inherent factors’, rather than knowledge-based ones.
Possession factors are objects that users hold, such as smartphones or a physical USB tokens, whereas inherent factors are elements that are completely unique and inseparable from users, such as fingerprints or voice signatures.
Strong passwordless solutions use these factors to send encrypted security keys over multi-channel and out-of-band communication infrastructures. This way, both the authentication factors and the keys exchanged between the authenticator, client and server are highly secured against almost all user-side and Man-in-the-Middle attacks.
What are the benefits of passwordless authentication?
- Better security – Weak passwords or hard to enforce password policies create significant vulnerabilities in all systems and applications. Using passwordless authentication eliminates attackers’ abilities to brute–force or steal credentials. It also increases the control that security teams have on credential or token use and reduces threats created by credential sharing.
- Improved user experience (UX) – creating and memorizing passwords is often a challenge for users. Passwords can also cause frustration when users need immediate access but have to wait for passwords to be reset or for reminders to be sent. Passwordless methods can help users access work assets and tools faster by eliminating the need to remember secrets or request assistance.
- Cost reduction – the constant helpdesk needs generated by a workforce dependent on old-fashioned passwords are immense. Passwordless authentication dramatically reduces these support requirements and saves huge budgets for IT departments.
How Passwordless Authentication Can Help With Insider Threats
Implementing passwordless authentication can help protect you from both intentional and unintentional insider threats. Here are a few examples of how you can negate insider threats with these methods:
- Shared or stolen credentials
Insider threats often stems from employee negligence or abuse of trust. In terms of negligence, many insider threats occur due to employees unintentionally sharing their passwords or credential information, sometimes with the best of intentions such as helping colleagues or wanting to speed up work.
At other times, users may fall for phishing scams or fake log-in portals designed to steal credentials. Or, they may simply and naively reuse passwords from less secure sites, enabling attackers to build lists for credential stuffing attacks.
Even seemingly harmless acts, such as keeping post-its with passwords on them can be abused. For example, malicious coworkers may use publicly displayed passwords to access systems with another’s credentials. Or third-parties in your workspaces, such as contractors, customers, or cleaning crews may take advantage of it.
Use of passwordless systems eliminates the chance that credentials are reused or documented. Since entry is provided on a token basis or requires personal artifacts or devices, the chance of theft or spoofing is all but removed.
- Loss or theft of devices
Often, employee devices contain sensitive information, including saved credentials. Ideally, the devices themselves are protected with authentication measures but this isn’t always the case, especially with personal devices. In the wrong hands, these devices can be abused and can become very worrisome threats.
Passwordless authentication solutions can help protect from these by separating log-in information across multiple devices. These measures also eliminate the need to store credentials, eliminating opportunities for automatic log-ins.
If devices are stolen or found by an attacker, users still need to gain access to the authentication token to access systems and data. While users may lose both device and authenticator together, it is much less likely. And even in such an unlikely scenario, the biometric factor will prevent unauthorized access.
- Better Auditing and Visibility
Phishing attacks, password reuse, and sharing of credentials are common issues when relying on standard passwords. Passwordless authentication gives IT teams the benefit of having complete visibility over identity and access management – every login is tied to a just one user by a registered device and a biometric signature and can be easily and unequivocally tracked. Moreover, there’s nothing to phish, share or reuse, since the user no longer holds a secret.
As remote work paradigms become the norm and both the workforce and company assets become less centralized, organizations need solutions that protect corporate resources from insider threats. Passwordless authentication can help ensure that turncloaks, pawns, and imposters do not endanger your company assets. With Passwordless Authentication, organizations can boost their security stance against such threats while streamlining user authentication flows and credential management throughout their assets, and at the same time improve employee productivity and cut on password-related costs.
Your Complete Guide to FIDO, FIDO2 and WebAuthn
Your Complete Guide to FIDO, FIDO2 and WebAuthn
Securing Remote Access Users