[Column] Shuman Ghosemajumder: When will we get rid of passwords?
Passwords are inconvenient and create numerous security vulnerabilities, so why can’t we just replace them? The short answer is that there’s no better method, yet. Companies are beholden to their users, and while most users claim to value security over convenience, their actions speak otherwise. As a case in point, research conducted by Google suggested that even when users have experienced their accounts being taken over, fewer than 10% will adopt multifactor authentication (MFA) because of the associated complexity and friction.
All authentication is a balance of usability, security, and deployability. To replace passwords, a new solution must equal passwords on all three fronts and exceed them on at least one. Trading off one set of advantages for another will not be enough to incentivise both organisations and users to switch. So, what can we do today to ease the password-driven bottlenecks and edge ever closer to friction-free nirvana?
A Better MFA
A hypothetical solution to our maximization problem is invisible multifactor authentication (iMFA). Unlike the MFA solutions of today, which typically rely on a password combined with an SMS or one-time password via email or a physical token, iMFA would rely on factors that are invisible to the user. Specifically, it would collect and process the maximum number of effort-free signals. Let’s break that down:
Web authentication is converging on a non-binary authentication model where all available information is considered for each transaction on a best-effort basis. All of the context of a user’s interaction with a website can be used to grant the best visibility into a user’s risk profile.
Effort-free signal collection and processing
Security should be provided on the backend, so it doesn’t impede customers. By providing security without customer impact, companies can mitigate threats at minimal cost without introducing friction and upsetting users. For example, most email providers have settled for approaches that classify mail based on known patterns of attacker behavior. These defenses are not free or easy to implement, with large web operators often devoting significant resources towards keeping pace with abuse as it evolves. Yet, this cost is typically far less than any approach requiring users to change behavior.
iMFA could be implemented with a combination of tools like WebAuthn and behavioural signals. The credential storage and user verification can be securely provided by WebAuthn, and the continuous authorization can be augmented with behavioural signals. The traditional MFA factors - ‘something you know,’ ‘have,’ and ‘are’ - come from WebAuthn. And the newest factor, ‘something you do,’ comes from behavioural signals, including new types of biometrics. Further, generating this variety of signals requires just a single gesture from the user, which is far less effort than entering a password. By combining these methods, and constantly recomputing trust through machine learning, we can achieve the rare simultaneous outcome of increased security with decreased user friction.
An Interim Solution
But iMFA cannot replace passwords overnight. Change-resistant users will need a gradual transition. Websites will still have to incorporate a solution like WebAuthn into their authentication protocols. Without pressing urgency from a specific security threat, many sites will likely take their time adopting this standard. Furthermore, the integration process for a behemoth like Amazon could be extremely complicated, which is likely why there has been initial support from browser companies but not from e-commerce companies or social media sites.
If adoption of a new method will take years, what should businesses do in the meantime? Outlast the attackers by denying them their most precious resource: time. Attackers conducting credential stuffing are usually financially motivated and don’t have infinite capital. If an organization can significantly increase the time it takes them to monetize their attacks, most cybercriminals will abandon the pursuit in favour of weaker targets.
Introducing more time into the credential stuffing kill chain
A good first step is to make credential spills more difficult to decode. It might seem obvious, but every company needs to upgrade their password security methods. If passwords are being hashed with MD5, organizations need to upgrade to something more secure like bcrypt. This would ensure that when an attacker manages to breach their database, it will take a reasonable amount of time for attackers to crack the compromised credentials before they can even launch an attack.
Organisations should also explore how they can force attackers to develop unique attacks for each target. Suppose a sophisticated attacker has gotten their hands on 100,000 decrypted credentials that they are fairly confident no one else has access to, at least for the moment. The attacker knows that 100,000 fresh credentials should lead to, on average, around 1,000 account takeovers on a large website. Now, for such a sophisticated attacker, taking over 1,000 retail accounts might not be worth the several weeks of time it would take to develop, test, launch, and monetize the attack. However, it would be worth their time to attack multiple targets simultaneously, breaking into tens of thousands of accounts at once. The key would be to find companies that could be attacked using the same software - in other words, targets with similar infrastructure.
As a result, this attacker targets not just one company, but several simultaneously - in this case, a retailer, bank, social media company, and ride-hailing mobile app. They have developed an attack that targets the Android version of mobile apps that have been built on the same framework. Their attack is very sophisticated, not reusing any resource more than twice, evading any rate-limiting measure the targeted company has implemented. Yet, while the attacker was too sophisticated to reuse something like an IP address when attacking a single target, they didn’t think they would be caught recycling resources across different targets.
We know this is how attackers think because this exact situation occurred in 2018 to four of Shape’s customers. Because they all operated on a shared defence platform, an attack on one of them was, in effect, an attack on all of them. Because the attacker recycled resources and behavioural patterns across all four companies within a very short time period, Shape was able to very quickly gather enough data to identify the attack. Thus, bundling the attacks actually worked to the attacker’s disadvantage, but only because intelligence was shared across different targets.
Don’t give up!
It is impossible to detect 100 percent of attacks instantaneously 100 percent of the time. What is possible is to make attacks so costly that attackers give up quickly or don’t even try again. Cybercrime is a business - attacks are organized based on a predictable rate of return. If there is one thing that holds true across the worlds of cybercriminals and businesspeople, it is that time is money.