The Shortcomings of Shared Secrets: Why Password-Less Must Be the Path Forward

By George Avetisov, Cofounder and CEO, HYPR

 Since the dawn of the Internet, there has been a constant struggle between those trying to secure their personal information and those trying to steal it. Although there have been many iterations of security models, they’ve all had one thing in common – a consistent reliance on “shared secrets.” Shared secrets are any knowledge-based credentials such as passwords, credit card numbers, bank PINs and your mother’s maiden name that are used as part of a login process. The unfortunate reality of these credentials is that they are easy to steal, compromise and reuse. In fact, more than 80% of all of today’s data breaches are the result of weak or stolen passwords and shared secrets. The prevalence of knowledge-based authentication models and the continued use of shared secrets has seen phishing attacks and credential reuse reach all-time highs, and with it we’ve seen Consumer Account Takeover (ATO) fraud double year over year. Right now, the bad guys are winning the battle in the war to protect our information.

Unfortunately, the story gets bleaker. As enterprises move more and more to the public cloud, the employee attack surface and the associated risk of a data breaches grow right alongside it. Today, hackers are performing and succeeding at, credential stuffing attacks on enterprise resources which were never before available to the outside world. This is because, through the massive data breaches that consistently flood our headlines, hackers are equipped with millions of compromised user shared secrets.

Companies recognize the situation they’re in and are trying to strengthen their security posture through newer credential authentication models such as two-factor authentication (2FA), short message service (SMS) and the newest model, multi-factor authentication (MFA). The problem with all of them is that they simply are adding another layer on top of the already flawed shared secret model. Whereas these models may be more difficult to attack, the attack vector is the same as for traditional shared secret models and hackers are so adept at bypassing these security measures that anything built on its infrastructure is inherently susceptible.

Therefore, it should come as no surprise that among these newer models, there is still much to be desired in terms of security. One of the most popular methods of execution for these models, favorited by banks and enterprises, is through one-time passwords (OTP). Upon signing into an account, the user is sent an OTP directly to their mobile device via an SMS text message. The user must then enter the OTP online in order to complete the authentication process and gain access to their account. As complex and difficult to hack as that sounds, the truth is that SMS messages can be intercepted in the carrier’s network through a technique called “SIM-Swap” fairly easily. This means that the OTP message is actually delivered to the wrong mobile phone – usually the one in the hands of fraudsters. This is so common that many of today’s most popular mobile malware variants come standardly equipped with SMS OTP stealing functions.

This model of authentication has proven to be so ineffective that the National Institute of Standards and Technology (NIST) deprecated the use of SMS as a strong second factor in authentication model more than two years ago – yet, it is still widely used. These man-in-the-middle attacks, where second and third authentication factors are sent to the hacker’s device instead of the user’s, have proven to be so successful for hackers that they common even among non-SMS based 2FA and MFA.

As much as the technology itself has security concerns, the other factor that must be considered is the user experience. Most 2FA and MFA implementations are clunky and are built without any kind of user experience considerations, which further stalls their adoption by consumers. This means that even if the security is better, consumers simply don’t to use it. In today’s efficiency-based world, truly effective security measures must be both effective and seamless fit into a consumer’s existing workflow.

By this point, you may be thinking that the situation is rather dire and you’re about ready to give up hope. Well, I’m happy to say that there is good news because over the last few years there have been several trends coming to maturity and pushing the world toward a new type of authentication that doesn’t rely on shared secrets at all – a model called “true password-less security.” As opposed to the other models we’ve examined, password-less security leverages decentralized authentication and biometrics directly on a user’s personal trusted device. This means passwords, shared secrets, and OTPs are replaced with public-key cryptography. For example, rather than using a password to login to your bank, you would use your thumbprint through an authentication portal sent directly to your mobile phone, thereby removing the need to ever enter a password or shared secret. This is an innovative solution that wouldn’t be possible if it weren’t for some key trends all coming together.

One of these trends is the mass adoption of biometric sensors by phone manufacturers as they have begun to use biometrics to allow users to unlock mobile devices and make online purchases. Because of this adoption, the sensors running these biometrics-enabled features have also grown is precision and sophistication. Since true password-less security is built on the foundation of biometrics, this is a critical advancement. Going hand-in-hand with this is the adoption of authentication standards, such as FIDO by enterprises, to govern their use. These standards provide organizations with a standard set of best practices and processes to ensure authentication models are as secure as possible.

Whereas biometrics technology and FIDO standards provide the basis for password-less security, widespread adoption has been significantly spurred as the largest technology companies in the world have jumped aboard the password-less train. Tech leaders like Google and Microsoft have been pushing companies to go password-less even to the point of Microsoft requiring it for organizations moving to Azure. Additionally, the three major web browsers (Chrome, Firefox, and Safari) have all enabled support for password-less authentication, paving the way for widespread adoption and seamless usability. Finally, even governments are beginning to recognize the potential as Europe signed the Payment Services Directive (PSD2) which is focused on driving strong customer authentication and pushing companies to reduce their reliance on traditional passwords.

With the technology basis well-established and world-leading governments and companies recognizing the potential of password-less security there is a perfect storm for eliminating the problems caused by shared secrets. As more companies adopt the password-less approach, we’ll see account takeover (ATO) fraud rates go down, and fewer “massive data breach” headlines will flood our everyday news cycle. It is time we took back our online security from the hackers who have been winning the war for far too long.

About the Author

The Shortcomings of Shared Secrets: Why Password-Less Must Be the Path ForwardGeorge Avetisov is Cofounder and Chief Executive Officer of HYPR, responsible for strategy and execution of the company’s vision. George sets forth the product and technical direction of the company, architects sales, and marketing strategies, and works closely with team leads to build strong company culture. Under George’s leadership, HYPR has grown to become a leading provider of decentralized authentication with millions of users secured across the globe. Named Forbes 30 under 30 in 2018, George brings with him a decade of experience in e-commerce, digital payments, and fraud prevention that have served as the foundation for HYPR’s vision.

George can be reached online at [email protected] and at our company website

July 7, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...