Tomorrow (Thursday 4 May) is World Password Day, an annual initiative that promotes better password habits.
Duane Nicol, cybersecurity expert at Mimecast, says passwords are often a weak link in security. An increase in regular security awareness training has made some headway in encouraging people to use unique, complex passwords, but even strong passwords don’t offer much protection if they are acquired in phishing attacks.
“Weak passwords such as “12345” – which is still the most common password in use worldwide – and a tendency to reuse passwords across multiple services, leaves users and organisations vulnerable,” he says. “When people reuse passwords – for example for a social media or streaming service account – and that password is the same as the one they use for their corporate credentials, it can create massive security vulnerabilities.”
Identity-based attacks soar
The latest Mimecast State of Email Security 2023 report found that 71% of South African organisations had experienced an attack that spread from one infected employee to others, with 77% of those citing poor password hygiene as a top contributing factor.
Identity-based attacks are the source of most data breaches today. There is a thriving market for credentials that are harvested in phishing attacks and resold on the dark web. A recent report from Mimecast partner Crowdstrike found that demand for services of initial access brokers that sell illegitimate access to corporate networks more than doubled in the past year.
“It is vital that organisations implement layered security that can protect against phishing,” says Nicol. “Considering that most attacks make use of credentials – usually acquired through phishing attacks – integrating passwordless authentication into a layered and holistic security strategy can provide vital additional protection against compromise.
“Organisations should also offer regular and effective awareness training, which should include practical security questions and exercises. Training needs to reinforce good cyber hygiene like avoiding those ‘What Hogwarts House do you belong to?’ quizzes on Facebook.
“Not only do threat actors use these to build target profiles that are used in social engineering attacks, they’re also used to find out the answer to security questions – rendering challenge questions like ‘What was your first car?’, useless. These types of vulnerabilities can be avoided by implementing passwordless authentication.”
Passwordless authentication involves different ways to verify a user’s identity before granting access to services, networks or data. These include biometrics such as fingerprints and retina scans, authentication tokens such as one-time codes or app-based verification, and push notifications that ask a verified email account or device for authorisation to allow access.
“Overall, passwordless authentication can significantly enhance an organisation’s security posture and keep employees, systems and data protected,” says Nicol.
Adoption of passwordless authentication is also growing. A recent survey by Mimecast partner Okta found that just under one in five users of its platform have integrated an API for passwordless authentication, up from only 11% two years ago.
Best-practices can ease adoption despite hurdles
However, some common hurdles to the adoption of passwordless authentication remain. The requirement for multi-factor authentication can create friction in the user experience which may hamper productivity.
Companies that make use of multiple cloud platforms may also find that each platform has its own security protections, which don’t always integrate with company systems. And cost remains an issue: adopting passwordless authentication requires extensive system and policy changes, including establishing a zero-trust environment across the company’s network.
Nicol recommends that companies seeking to adopt passwordless authentication take note of best practices. “Avoid the complexity of a wholesale deployment by prioritising those parts of the network that can benefit most from passwordless authentication,” says Nicole. “Take care to prevent friction in the user experience by factoring in the context of user activity, using behavioural analytics to determine if there’s a need to step up security checks or if the user can continue their activity.
“Security awareness training is also important to not only ensure employees are more alert to cyber risks, but to create a more cyber aware culture where individuals realise that advanced security measures protect both their employer and themselves.”
Nicol also says passwordless authentication is easier to enforce when there is an existing zero-trust policy across the company network. “Organisations should implement policies that maintain least privileged access and continue to update those policies based on up-to-date threat intelligence. Automation can play a valuable role here by alleviating some of the pressure on security teams.”