Credentials are at the forefront of protecting employee identities and accounts — and oftentimes a weak, easy-to-guess password is the only thing standing between a cybercriminal and an organization’s critical systems and data. Many companies realized this in the midst of the pandemic as remote work challenged their defenses, and we saw increased investments in authentication tools as a result.
However, recent cyberattacks involving bypassed multi-factor authentication (MFA) through “prompt bombing”, an annoying cyber tactic aimed at getting a user to click on a malicious link due to MFA fatigue, has raised new concerns about password and authentication practices: Are organizations doing enough to boost their identity defenses?
Passwords Get a Bad Rep for a Good Reason
In the past year, MFA has become table stakes. SpyCloud’s recent 2022 Ransomware Defense Report found that 96% of organizations have adopted or planned to implement this measure, compared to only 56% in the previous year’s survey. Additionally, we learned that there were increases across credential monitoring and password practices as well since last year:
73%
of organizations monitor for compromised employee credentials
(vs. 44% in 2021)
49%
monitor for compromised partner and supplier credentials
(vs. 28% in 2021)
78%
have password complexity requirements
(vs. 59% in 2021)
These trends indicate an acknowledgment that password security is still a growing problem. And SpyCloud data shows just how big of a problem. Every year, our researchers recapture millions of exposed credential pairs (usernames and password combinations) from the darknet. In 2021 alone, the number reached 1.7 billion, a 15% increase from the previous year’s 1.48 billion.
Employees’ rampant reuse of passwords exacerbates the risks stemming from exposed credentials. In 2021, we discovered a 64% password reuse rate for users with more than one password exposed in the past year (up 4 pts from the prior year despite the cacophony of media articles on this very topic). This risky behavior makes passwords just a tiny bump in the road for cybercriminals trying to get inside your organization.
Considering the magnitude of the password problem, it’s encouraging to see that more organizations recognize the need to protect employee identities and are looking for ways to enhance defenses around passwords.
How do I check what’s already exposed across our authentication stack?
Run Check Your Exposure to see the exposed credentials and stolen session cookies tied to your domain. No matter how many authentication layers you have in place, a credential or session cookie that is already in criminal hands is a way around them, so seeing what is exposed lets you reset and invalidate it instead of trusting the stack to hold.
Check your exposure for free →
What About Passwordless?
Understandably, the security industry has been talking about doing away with passwords altogether. Lately, biometrics and passwordless authentication have been in the news – especially with the introduction of passkeys, an alternative to the traditional password, by Apple and Google. While this new authentication practice shows a lot of promise for securing identities, it doesn’t completely solve the password problem either.
Traditionally passwordless authentication mechanisms default to passwords as a backup if, say, the device used by the person as the “authenticator” is lost or stolen. In addition, some passwordless solutions also require MFA for added security, with passwords serving as the MFA layer. In other words, passwordless authentication is rarely truly less passwords after all.
As far as new security technologies go, passkeys are a positive development. But it won’t take long for cybercriminals to start stealing and trading passkeys on the darknet as they do with other types of credentials.
MFA a Bigger Target than Ever
With all this talk about MFA being a core option for better security, it still presents vulnerabilities. While our survey of more than 300 IT security leaders found that 77% of organizations have MFA in place, and 51% reported that MFA was already in ‘good shape,’ criminals have also found ways to exploit this defense layer.
Attacks showing how malicious actors circumvent MFA seem few and far between as far as attack headlines go. But for every highly publicized attack, there are numerous others happening behind the scenes.
Okta researchers found that MFA attacks are up significantly from last year and are “far exceeding levels seen in 2020.” Just in the first three months of 2022, Okta’s network logged about 113 million attacks that targeted bypassing MFA.
There are a number of ways to circumvent MFA, but one of the most effective methods is session hijacking. This tactic uses information-stealing malware (a.k.a. infostealers), man-in-the-middle attacks, or social engineering (using basic human behavior to trick a person into clicking on a malicious link) to steal the session cookie that’s stored temporarily in the web browser as part of the user authentication. The stolen cookie allows the attacker to bypass MFA because it fools the server into believing the malicious connection is the same as the original one.
With that stolen web session cookie in hand, the attacker can perform the same actions as the legitimate user, which could be anything from accessing your company’s data to gaining access to critical applications. As far as the server is concerned, the original user is going about business as usual — the attacker’s identity is indistinguishable from the authorized identity.
Know and Minimize Your Risks
One of the key findings from our 2022 Ransomware Defense Report was that organizations are feeling less confident overall about their defenses, including MFA. We noted an uptick in the number of organizations planning to upgrade their existing measures or add new ones, along with a decrease in the number of those feeling good about their security stack. This growing dissatisfaction indicates that despite the multiple defense layers, organizations recognize they continue to have gaps that are far greater than poor passwords.
Keeping in mind that cybercriminals are actual humans and know they can benefit from the path of least resistance, here are some ways to close those gaps beyond just trying to authenticate a user’s access:
Monitor for stolen cookies
While monitoring the criminal underground for compromised credentials is somewhat common, most organizations don’t monitor for stolen cookies, which enable attackers to impersonate users, bypass MFA, and launch attacks seemingly
Understand your hidden risks
If an employee’s personal or shared device is infected with malware, for example, it creates a huge attack surface since a single employee could be using that device to access dozens or even hundreds of your corporate apps and services. All of that stolen authentication data could be used to “walk right in” to your organization.
Enhance your malware infection response
Another frequently overlooked prevention tactic is what we call post-infection remediation – an approach to remediating malware infections that takes into account all of the exposed authentication data that was siphoned (information that’s actively in criminals’ hands and puts the enterprise at risk of attacks including ransomware). The key is having visibility into what’s been siphoned from both managed devices used by your workforce and unmanaged or personal devices used to access your network.
No authentication solution provides a magic bullet. With enough patience and ingenuity, attackers will eventually find a way to circumvent any defenses. Closing the gaps in order to protect your business continues to be top action for security teams and the more visibility they have into the various attack vectors early on, will ultimately be the ticket to success.
Authentication layers raise the cost of an attack, but they do not show you what criminals already have.
See how SpyCloud surfaces the exposed credentials and stolen session cookies tied to your workforce, and remediates them before they are used.
FAQs
Because attackers have adapted to every layer. MFA gets bypassed through prompt bombing and adversary-in-the-middle phishing, passwords stay exposed through reuse, and stolen session cookies let attackers skip authentication entirely by replaying a session that already passed every check. Adding layers raises the cost of an attack; it does not remove the credentials and session data already circulating in the criminal underground.
All of the common ones. Passwords are undermined by reuse and exposure, MFA is bypassed through prompt bombing and adversary-in-the-middle phishing, passkeys can be worked around through session hijacking and account recovery paths, and session cookies are stolen outright so attackers can replay an authenticated session. Each method raises the bar, but none of them closes every gap on its own.
Yes. MFA is now table stakes and stops a large share of opportunistic attacks, which is why adoption has climbed sharply. The point is not that MFA fails, but that it is one layer. Attackers who get past it do so by targeting the session or the human, not the second factor itself, so MFA needs to sit alongside visibility into what is already exposed rather than stand alone.
Even with MFA in place, a reused work password exposed in a breach or lifted by infostealer malware stays valid and keeps circulating in the criminal underground. It becomes a problem the moment MFA is missing, misconfigured, or bypassed on a connected system. Run Check Your Exposure to see which exposed credentials tied to your domain are still in play.