Passwordless authentication is a method of verifying users’ identities without the use of passwords or any other memorized secret.
Instead of passwords, identity can be verified based on a “possession factor”, which is an object that uniquely identifies the user (e.g. a one-time password generator, a registered mobile device, or a hardware token) or an “inherent factor” like a person’s biometric signature (e.g. fingerprint, face, retina, etc.). Unlike possession or inherent factors, authentication that is based on something the user knows (such as a password, passphrase, or PIN code) is susceptible to easy theft, sharing by users, and requires constant management and handling by both users and IT managers.
What are the benefits of Passwordless Authentication?
- User Experience (UX): passwordless authentication means no more user memorized secrets, streamlining the authentication process
- Better Security: User controlled passwords are a major vulnerability because users reuse passwords and are able to share them with others. Passwords are the biggest attack vector and are responsible for 81% of breaches, and they also lead to attacks such as credential stuffing, corporate account takeover (CATO), Password Spraying, and brute force attack
- Reduction in Total Cost of Ownership (TCO) : Passwords are expensive, and they require constant maintenance from IT staffs, removing passwords will reduce support tickets and free IT to deal with real problems
- IT Gains Control and Visibility: Phishing, reuse, and sharing are common issues when relying on passwords, with passwordless authentication IT reclaims its purpose of having complete visibility over identity and access management – Nothing to phish, share or reuse, the user is no longer the wild card in the organization identity scheme.
With passwords out of the picture, both user experience and security improve.
The security of passwordless authentication systems depends on the proof(s) of identity required in lieu of passwords and their implementation. For example, using secure push notifications to the account holder’s mobile device is generally considered more secure than passwords. SMS codes to the account holder’s mobile device can be considered less secure because SMS is an insecure communication channel and there are multiple documented attacks against SMS authentication systems.
See how Secret Double Octopus implements passwordless authentication:
What does Passwordless Authentication Prevent?
What is Password spraying?
Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Learn More
Well known instances of Password Spraying attacks:
How Do we prevent Password Spraying?
Password spraying relies on the use of common and generic passwords – unfortunately a practice that remains widespread today. By removing passwords, Secret Double Octopus renders an account immune to this hack.
What is Credential stuffing?
Credential stuffing is a type of cyberattack where stolen account credentials, typically consisting of lists of usernames and/or email addresses and their corresponding passwords, are used to gain unauthorized access to user accounts. Using a program called an ‘account checker,’ hackers activate large-scale automated login requests directed against a slew of web application. Learn more here and here. Learn more Learn More 2
Well known instances of Credential Stuffing attacks:
How do we prevent Credential Stuffing?
Password spraying typically relies on user generated passwords that were obtained from large breaches. Secret Double Octopus removes user generated passwords, and in turn, the risk of credential stuffing.
What is Spear Phishing?
Phishing hacks are a form of cyberattacks designed with the aim of getting a user to divulge compromising information. As its name would imply, spear phishing is a targeted attack against a particular user or set of users based on their unique profile. Spear phishing messages are tailored to the targets in an effort to convince them the communications are legit. This is usually done by acquiring personal details on the victim such as their friends, hometown, employer, locations they frequently visit, or what they have recently bought online. The attackers then disguise themselves as a trustworthy friend or entity and attempt to extract sensitive information, typically through email or other online messaging.
Well known instances of Spear Phishing attacks:
How does Secret Double Octopus prevent Spear Phishing?
Spear phishing attacks rely on fraudulent communications, usually in the form of email following a business email compromise (BEC) incident. When using Secret Double Octopus, users are never prompted to reset or update passwords, meaning users will know that any such request is an attempt by a cybercriminal. Secret Double Octopus both removes the credentials target and negates the mechanism by which spear phishing works.
Brute Force Attack and Offline Cracking
What is a Brute Force Attack?
Brute force attacks involves repeated login attempts using every possible letter, number, and character combination to guess a password.
An attacker using brute force is typically trying to guess a user, or an administrator password or a password hash key. Guessing a short password can be relatively simple, but that isn’t necessarily the case for longer passwords or encryption keys — the difficulty of brute force attacks grows exponentially the longer the password or key is.
What are some examples of Brute Force attack?
What is Offline Cracking?
Offline Password Cracking is an attempt to extract one or more passwords from a password storage file that has been recovered from a target system. Typically, this form of cracking will require that an attacker has already attained a high level of access to a system in order to gain access to the necessary file. Once the hackers gain access to the stored passwords, they are able to move freely through a wide range of network accounts.
Well known instances of Offline Cracking
How does Secret Double Octopus prevent Brute Force Attacks and Offline Cracking?
Both of these attacks rely on breaching access to credentials. Hackers target systems that rely on passwords as a first factor. There are many cases in which hackers capitalize on weak communication protocols connecting networks to servers and use these methods to bypass MFA. Secret Double Octopus does not use passwords as a first factor of authentication, thereby preventing brute force attacks.
Rainbow table attacks
What is a Rainbow Table Attack?
A Rainbow Table attack is designed to recover passwords from their cryptographic hashes. They are huge sets of precomputed tables filled with hash values that are pre-matched to possible plaintext passwords. The proper application of a Rainbow Table can allow a hacker to break passwords with relatively high complexity.
Well known instances of Rainbow Attacks:
How does Secret Double Octopus prevent Dictionary Attacks?
Rainbow attacks can only be successful against an account that uses passwords as the primary factor. Once passwords are gone, the most sophisticated Rainbow Table is useless.
What is Social Engineering?
Social engineer covers a very broad range of attacks by which cybercriminals manipulate individuals into divulging login credentials. Social media platforms often provide the perfect venue for hackers to reach out to potential victims under a guise and extract information.
Some social engineering methods don’t even require attackers to engage directly with victims. Criminals can go directly to a user’s service provider such as a cell phone or internet company and deceive a representative into delivering new passwords to the phone or device of their choice.
Well Known instances of Social Engineering attacks:
How does Secret Double Octopus prevent Social Engineering Attacks?
Regardless of what method hackers deploy, the goal of any social engineering attack is to extract login credential to a victim’s account. By eliminating credentials from the authentication equation, there is no longer a target for a social engineering campaign.
What is Keylogger Malware?
A Keylogger Attack involves the illicit use of a keystroke logging program to record and capture passwords. Hackers can infect a machine with a keylogger by planting them in legitimate websites or in phishing messages. The seemingly innocuous content of the web page or message contains commands to download a keylogger file that a user can activate with a simple click.
Well Known Instance of Keylogger Attacks:
How does Secret Double Octopus prevent Keylogger Attacks?
Even after successfully getting a user to download a keylogger, hackers still need the victim to type in his or hers passwords so they can be recorded. If passwords are not being entered, nothing captured by the keylogger will grant an attacker access to accounts.
What is Shoulder Surfing
More aptly categorized as a form of tradecraft than a cyberattack, Shoulder Surfing is simply the stealing of a user’s credentials by literally peering over their shoulders while he or she is typing them in. While this may seem like an overly-simple method, research has shown that Shoulder Surfing is often successful.
Well Known Instances of Shoulder Surfing:
How does Secret Double Octopus prevent Shoulder Surfing Attacks?
Any ‘Shoulder Surfer’ is looking to identify user’s passwords as they type them into a device. When users are no longer entering passwords, there is no longer any information being exposed that would potentially give a peeping hacker illicit access.
Corporate Account Takeover (CATO)
What is Corporate Account Takeover (CATO)
Corporate account takeover occurs when an attacker manages to gain unauthorized access to a legitimate business account. Control of the account is then used for nefarious activities such as to initiate a fraudulent payment, authorize a wire transfer or steal sensitive data.
Well known instances of Corporate Account Takeover (CATO)
Leaving the Password Threat Behind
The above list of techniques for breaking password-based authentication schemes is just a small sampling of the dangers posed by passwords– an outdated method of authentication which is still the method of choice for most applications.
Secret Double Octopus is helping customers evolve to the next stage of digital authentication – passwordless authentication. Its Octopus Authenticator neutralizes all of the attacks that target users passwords by simply getting rid of them.