Skip to main content

Passwords, Passkeys, Cookies, MFA – Authentication Methods are Under Attack

Blog: Password Authentication
Credentials are at the forefront of protecting employee identities and accounts — and oftentimes a weak, easy-to-guess password is the only thing standing between a cybercriminal and an organization’s critical systems and data. Many companies realized this in the midst of the pandemic as remote work challenged their defenses, and we saw increased investments in authentication tools as a result. However, recent cyberattacks involving bypassed multi-factor authentication (MFA) through “prompt bombing”, an annoying cyber tactic aimed at getting a user to click on a malicious link due to MFA fatigue, has raised new concerns about password and authentication practices: Are organizations doing enough to boost their identity defenses?

Passwords Get a Bad Rep for a Good Reason

In the past year, MFA has become table stakes. SpyCloud’s recent 2022 Ransomware Defense Report found that 96% of organizations have adopted or planned to implement this measure, compared to only 56% in the previous year’s survey. Additionally, we learned that there were increases across credential monitoring and password practices as well since last year:

73%

of organizations monitor for compromised employee credentials
(vs. 44% in 2021)

49%

monitor for compromised partner and supplier credentials
(vs. 28% in 2021)

78%

have password complexity requirements
(vs. 59% in 2021)

These trends indicate an acknowledgment that password security is still a growing problem. And SpyCloud data shows just how big of a problem. Every year, our researchers recapture millions of exposed credential pairs (usernames and password combinations) from the darknet. In 2021 alone, the number reached 1.7 billion, a 15% increase from the previous year’s 1.48 billion.

Employees’ rampant reuse of passwords exacerbates the risks stemming from exposed credentials. In 2021, we discovered a 64% password reuse rate for users with more than one password exposed in the past year (up 4 pts from the prior year despite the cacophony of media articles on this very topic). This risky behavior makes passwords just a tiny bump in the road for cybercriminals trying to get inside your organization.

Considering the magnitude of the password problem, it’s encouraging to see that more organizations recognize the need to protect employee identities and are looking for ways to enhance defenses around passwords.

What About Passwordless?

Understandably, the security industry has been talking about doing away with passwords altogether. Lately, biometrics and passwordless authentication have been in the news – especially with the introduction of passkeys, an alternative to the traditional password, by Apple and Google. While this new authentication practice shows a lot of promise for securing identities, it doesn’t completely solve the password problem either.

Traditionally passwordless authentication mechanisms default to passwords as a backup if, say, the device used by the person as the “authenticator” is lost or stolen. In addition, some passwordless solutions also require MFA for added security, with passwords serving as the MFA layer. In other words, passwordless authentication is rarely truly less passwords after all.

As far as new security technologies go, passkeys are a positive development. But it won’t take long for cybercriminals to start stealing and trading passkeys on the darknet as they do with other types of credentials. 

MFA a Bigger Target than Ever

With all this talk about MFA being a core option for better security, it still presents vulnerabilities. While our survey of more than 300 IT security leaders found that 77% of organizations have MFA in place, and 51% reported that MFA was already in ‘good shape,’ criminals have also found ways to exploit this defense layer.

Attacks showing how malicious actors circumvent MFA seem few and far between as far as attack headlines go. But for every highly publicized attack, there are numerous others happening behind the scenes.

Okta researchers found that MFA attacks are up significantly from last year and are “far exceeding levels seen in 2020.” Just in the first three months of 2022, Okta’s network logged about 113 million attacks that targeted bypassing MFA.

There are a number of ways to circumvent MFA, but one of the most effective methods is session hijacking. This tactic uses information-stealing malware (a.k.a. infostealers), man-in-the-middle attacks, or social engineering (using basic human behavior to trick a person into clicking on a malicious link) to steal the session cookie that’s stored temporarily in the web browser as part of the user authentication. The stolen cookie allows the attacker to bypass MFA because it fools the server into believing the malicious connection is the same as the original one.

With that stolen web session cookie in hand, the attacker can perform the same actions as the legitimate user, which could be anything from accessing your company’s data to gaining access to critical applications. As far as the server is concerned, the original user is going about business as usual — the attacker’s identity is indistinguishable from the authorized identity.

Know and Minimize Your Risks

One of the key findings from our 2022 Ransomware Defense Report was that organizations are feeling less confident overall about their defenses, including MFA. We noted an uptick in the number of organizations planning to upgrade their existing measures or add new ones, along with a decrease in the number of those feeling good about their security stack. This growing dissatisfaction indicates that despite the multiple defense layers, organizations recognize they continue to have gaps that are far greater than poor passwords.

Keeping in mind that cybercriminals are actual humans and know they can benefit from the path of least resistance, here are some ways to close those gaps beyond just trying to authenticate a user’s access:

Monitor for stolen cookies

While monitoring the criminal underground for compromised credentials is somewhat common, most organizations don’t monitor for stolen cookies, which enable attackers to impersonate users, bypass MFA, and launch attacks seemingly

Understand your hidden risks

If an employee’s personal or shared device is infected with malware, for example, it creates a huge attack surface since a single employee could be using that device to access dozens or even hundreds of your corporate apps and services. All of that stolen authentication data could be used to “walk right in” to your organization.

Enhance your malware infection response

Another frequently overlooked prevention tactic is what we call post-infection remediation – an approach to remediating malware infections that takes into account all of the exposed authentication data that was siphoned (information that’s actively in criminals’ hands and puts the enterprise at risk of attacks including ransomware). The key is having visibility into what’s been siphoned from both managed devices used by your workforce and unmanaged or personal devices used to access your network.

No authentication solution provides a magic bullet. With enough patience and ingenuity, attackers will eventually find a way to circumvent any defenses. Closing the gaps in order to protect your business continues to be top action for security teams and the more visibility they have into the various attack vectors early on, will ultimately be the ticket to success.

Get more insights about why IT security leaders are putting more emphasis on password and authentication practices in the SpyCloud 2022 Ransomware Defense Report.

Transforming recaptured data to protect your business.