EDITOR ’ S QUESTION
Passwordless authentication is an authentication mechanism where users can authenticate without typing in passwords , 2FA , or one-time passcodes . Passwordless authentication is common in newer versions of smartphones that support Touch ID and Face ID and allows login without typing passwords .
Eliminating passwords minimizes the risk of breaches and lowers the cost of ownership . It reduces the burden of managing password policies , password expiration , password reset , etc . Due to complex password policies , people tend to reuse passwords across different accounts . Passwordless authentication helps organizations defend against :
1 . Brute force attacks : Attackers use a combination of various passwords to gain account access .
2 . Credential Stuffing attacks : A type of attack where compromised credentials are used to gain unauthorized access using automation
3 . Password spray attacks : Attacks that attempt to login to a large number of accounts with few commonly used passwords
4 . Spear Phishing attacks : Email spoofing attacks where users are convinced to provide user login credentials .
Passwordless authentication works well for end-user authentication . Most of the vulnerabilities associated with passwords will decrease as there are no credentials to steal or hack and improve overall cybersecurity .
Organizations also deploy a large number of nonhuman accounts known as service accounts . Windows systems use managed service accounts to deploy services , cloud providers need service accounts to run workloads , provide permissions to service accounts to access cloud resources , etc .
An attacker who gains access to these service accounts will have full access to resources that the service account has access to . Organizations should
Organizations should complement passwordless authentication by deploying a central secret vault store and rotate secrets for service accounts .
complement passwordless authentication by deploying a central secret vault store and rotate secrets for service accounts . Rotating secrets for service accounts minimizes risk and improves organization security .
While passwordless authentication and central vaults significantly reduce the risk , organizations should be on the constant lookout for ransomware and other forms of attacks that propagate inside the network after stealing user identity . Attackers , once they get a foothold on the endpoint , quickly map and enumerate the environment , locate mapped network shares , domain controllers , access to cloud infrastructure , etc .
Attackers can compromise service accounts , perform exploitation to gain remote access and deploy ransomware across the network . Impersonating service accounts using Keberos Silver Ticket attack is one of the popular attacks performed by attackers .
Similarly , the recent CVE-2020-1472 ZeroLogon vulnerability allows attackers unauthenticated access to domain controllers . A pair of zero-day vulnerabilities in Google Chrome ( CVE-2020-15999 ) and Microsoft Windows ( CVE-2020-17087 ) are being chained together and exploited to gain administrator access to a system . Organizations investing in passwordless authentication should continue to focus on detecting and minimizing damage from attackers targeting post-authentication exploitation . Nevertheless , of these attacks , passwordless authentication is a good beginning to eliminate and reduce the attack surface and improve cybersecurity . p
VENU VISSAMSETTY , VICE PRESIDENT SECURITY RESEARCH
AT ATTIVO NETWORKS
www . intelligentcio . com INTELLIGENTCIO APAC 35