Password sharing risk vector

The threat vector - Password sharing or Reused password

Perhaps an enterprise employee's password for a personal account (their social accounts such as Gmail, Hotmail, Facebook, LinkedIn, or other accounts on mobile/web applications)?is the same?as their password for one of their enterprise app accounts. So, if their personal account is breached, and the passwords were stolen then the enterprise has a problem,?perhaps one million enterprise app accounts with reused passwords—easy ways for the adversary to get unauthorized access.

The?Verizon Data Breach Investigations Report claims more than 80% of breaches involve password issues at some stage of the breach. It's called "Password sharing risk vector".

In a typical breach, adversaries use some point on this attack surface to compromise an (Internet-facing) asset. Other points are then used to move laterally across the enterprise, compromise some valuable asset, and then to exfiltrate data or do some damage.?It means that the more we adopt new technologies in the digital transformation of our businesses, the faster growth of vulnerabilities.

The solution - Passwordless

Because passwordless lets you replace the use and storage of passwords with more secure authentication mechanisms, it’s inherently safer than the risky password-based authentication some organizations are still relying on.

Passwordless authentication is a means?to verify a user's identity, without using a password. Instead, passwordless uses more secure alternatives like possession factors (one-time passwords [OTP], registered smartphones), or biometrics (fingerprint, retina scans), or hardware token (FIDO key).

The weakness and how we secure our access

Even though passwordless authentication is a major improvement over using passwords, it’s still not infallible. Passwordless authentication is gaining access to resources with an authentication factor other than a password. Unlike MFA, passwordless authentication may involve only one factor, such as a biometric.?What you should consider:

1. Relying on the?FID02 standard, the first open identity standard was created specifically to support passwordless authentication. FIDO2 uses?public-key cryptography?to provide the most secure method of passwordless authentication. Credentials never leave the user’s device and are never stored on a server, meaning most are hard to steal remotely.
2. Combining Passwordless with Adaptive authentication, which uses machine learning to develop patterns of typical user behavior. Any time the system notices a deviation from the pattern, it regards the login attempt as risky and takes appropriate actions.

More than that...

Depending on the industry, we have specific requirements for passwordless that we need the industrial solution. There is a provider with an industrial-focused solution and product design working on many device types and platforms (such as iePass FIDO2 USB-C + iOS Lightning Security Key - the product I love). It will serve you well (as well as I am using it to secure my personal account). Check more details of the solutions at Solutions, Compliances, References | FEITIAN (ftsafe.com).

References:

• Why Is Cybersecurity Not a Human-Scale Problem Anymore? | April 2020 | Communications of the ACM
• Passwordless: A Complete Guide to Passwordless Authentication | Ping Identity
• The Truth About Passwordless Authentication | OneLogin
• Passwordless Connections (auth0.com)