Between phishing scams, ransomware and social media cyberattacks, security incidents are now a daily occurrence for many businesses. Attackers are growing in sophistication and are looking to catch your employees off guard to gain access to your critical data. As your employees are typically your front line of defense in the fight against cybercrimes, it’s critical to set them up for success with simple but effective security protocols they can follow to keep your organization safe.
Passwordless authentication greatly enhances the effectiveness of a typical multifactor authentication (MFA) deployment but doesn’t add any burden to employees. We recently sat down with Corsica’s CISO, Ross Filipek, to talk about how passwordless authentication can help businesses keep employees, and their data, safe.
What is Passwordless Authentication?
In a typical Microsoft 365 or Azure Active Directory environment with MFA, users authenticate in three discrete steps. First, they enter their email address. If it’s a valid address for that domain, they’re then prompted to enter their password. If the password is valid, they’re finally prompted to acknowledge an MFA push notification to their mobile device.
Passwordless authentication involves a subtle change to the sequence described above, but it’s a change that creates a highly attack-resistant process. With passwordless authentication, users still enter their email address. But if it’s a valid address, they’re then shown a random one-time passcode that they then need to enter into the Authenticator app on their mobile device. So now we’ve removed static passwords from the equation and combined the second and third steps described above.
I have MFA. Isn’t that enough?
Not in today’s cyberthreat landscape. MFA is intended to offset the risk of static passwords, which are still routinely phished and acquired by attackers. However, attackers have become good at tricking users into acknowledging fraudulent MFA push notifications, and when this happens it effectively allows the attacker to bypass the protections that MFA was intended to provide.
The reason passwordless authentication is so effective is that, even if an attacker manages to steal a user’s password and attempt to sign into that user’s account, the user has no way of knowing what random one-time passcode to enter into the Authenticator app. In other words, passwordless authentication is highly phishing-resistant. When there’s no static password to phish, and no method to trick a user into acknowledging a fraudulent authentication factor, Business Email Compromise (BEC) and Account Takeover (ATO) attacks are unlikely to succeed.
Is there an example you can think of where passwordless authentication could have prevented a breach?
In a highly publicized incident earlier this year, many organizations using Single Sign-On (SSO) via a leading identity services provider were breached. In this attack, cybercriminals cloned the SSO portals of the targeted companies and sent the users SMS messages with links to the spoofed portals and told them they’ve been logged out and need to re-login. When the users clicked the links to access the spoofed portals and entered their email addresses, passwords, and MFA passcodes, the attackers were in position to intercept all this information and then use it to obtain fraudulent access to the users’ accounts.
This attack was unsuccessful against one of the targeted organizations, however, because that company was already using passwordless authentication.
Is the process easy for employees? They already struggle with security protocols.
The passwordless authentication process is arguably easier for users to navigate than the standard MFA process used today by many organizations. With passwordless authentication, users no longer need to enter their passwords, which helps to save a bit of time during logon. And those users are already using the Authenticator app, so passwordless authentication does not create an additional burden there.
Does this replace the need for passwords for everything?
It can replace the need for passwords within organizations that have integrated all systems and applications with single sign-on (SSO).
Get started with passwordless authentication.
Corsica’s team of IT and security experts are here to help you implement protocols and training programs that keep your employees safe, and your business secure. To learn how Corsica can help you approach security with confidence, speak to a member of our team today.