Curse of the identity snatchers! Stop cybercriminals with MFA and the FIDO Alliance

SADA Says | Cloud Computing Blog

By Mike Laramie | SADA Associate CTO, Security

cybercriminals, internet crime, identity fraud

The evolution of cloud security practices has been marked by a constant cat-and-mouse game between hackers and security professionals. Over the years, we’ve seen a significant shift in the methods and tools used to protect our digital identities, moving away from traditional password-based authentication towards more robust solutions like passkeys and multifactor authentication (MFA).  In this blog post, we’ll explore the reasons behind this shift, examine the evolving attack vectors, and discuss the role of the FIDO Alliance in improving the way we authenticate ourselves in the digital world. We’ll also provide you with a glossary of key terms related to cloud security to help you better understand this complex landscape.

The password problem

Password manager, strong passwords, multi factor authentication, security key, passwordless future

The reliance on passwords has been a long-standing security issue. Early on, users often chose weak, easy-to-guess passwords, leaving their accounts vulnerable to brute-force attacks. Fortunately, we’ve come a long way since then.

Password complexity checks: Nowadays, most user sign-up pages and password reset mechanisms include checks for password complexity. This ensures that a user creates more secure passwords, typically requiring a mix of uppercase and lowercase letters, numbers, and special characters.

Password managers: A password manager is an invaluable tool for managing the growing number of passwords we need. Password managers store and generate complex passwords, ensuring that users don’t fall back on easily guessable options.

Moreover, these managers can check stored passwords against known compromised ones, providing an extra layer of security. Strong passwords are the key to secure sign-ins.

Phishing attacks: As passwords became more secure, hackers pivoted to phishing attacks. In a typical phishing scenario, attackers send deceptive emails or messages to specific individuals, enticing users to click on malicious links. These links lead to fake login pages that closely resemble legitimate ones. When users enter their credentials, the attackers capture the confidential information.

SIM swap attacks: With the public becoming increasingly aware of phishing threats, hackers have adapted by using SIM swap attacks. In this approach, attackers gather personal information about their targets, such as email addresses, physical addresses, phone numbers, and the last four digits of their Social Security Numbers (SSNs). Armed with this information, they impersonate the victims to their mobile service providers, requesting a SIM card swap. Once they have control of the victim’s mobile number, they can intercept SMS-based password reset codes, effectively taking over accounts.

Multifactor authentication (MFA) and the future of cloud security

Cybercriminals, password manager, security key, Android device

Multifactor authentication (MFA), sometimes known as two-factor authentication, plays a crucial role in enhancing cloud security. MFA goes beyond the traditional username and password combination, requiring users to provide at least two forms of verification before granting access. Here’s what you need to know about MFA:

MFA types: MFA can include a combination of something you know (e.g., a password), something you have (e.g., a mobile device or smart card), and something you are (e.g., a fingerprint or facial recognition). This makes it exponentially more challenging for attackers to gain unauthorized access.

Increased security: By requiring multiple forms of authentication, MFA adds an extra layer of security. Even if an attacker obtains a password, they won’t be able to access the account without the additional authentication methods.

Widespread adoption: Many online services and applications now offer MFA as an option, making it accessible to users who want to enhance their security. MFA is an effective defense against various attack vectors, including phishing and credential stuffing.

Convenience vs. security: MFA introduces a trade-off between security and convenience. While it offers robust protection, it can also be seen as an extra step for users. Striking the right balance between security and user experience is crucial.

The rise of passkeys

password manager, mobile phone, password sign ins on phone and other devices

In response to the question of convenience vs. security, the FIDO Alliance has introduced a groundbreaking approach to authentication known as passkeys. Instead of relying solely on a password, this system uses your Android device, mobile phone, or other device to confirm your identity to the server. This not only reduces the risk of phishing attacks but also mitigates man-in-the-middle attacks and other security vulnerabilities that put your sensitive data at risk.

Key points that highlight the direction of identity authentication in light of the changing attack vectors include:

  • Reduced reliance on passwords: Passkeys significantly reduce reliance on traditional passwords, as they are no longer the primary means of authentication. Unlike passwords, they act as an additional layer of security, making it extremely difficult for hackers to compromise accounts.
  • Phishing resilience: Since passkeys do not require users to manually input their credentials, phishing attacks become less effective. Attackers can no longer trick users into revealing their passwords because the device itself verifies their identity, providing protection against data breaches, identity fraud, and other cyber threats.
  • User-friendly adoption: Passkey authentication is becoming more accessible, thanks to the widespread support for this technology on modern devices and workstations. With many devices now equipped to support passkey authentication, user adoption is growing.

What is FIDO?

FIDO stands for Fast IDentity Online. The FIDO Alliance is a group that established free, open standards that allow password-only logins to be replaced with secure fast login experiences across multiple apps and websites. The group advocates for standard, public-key cryptography that provides strong authentication and leaves no data at rest. The open standard FIDO U2F (Universal 2nd Factor) simplifies 2-factor authentication and provides added security to protect personal information. 

Evolving authentication to keep up with evolving cyber threats

password manager, device's screen lock, online account, sign in to account, devices & phone

The FIDO Alliance is at the forefront of transforming the way we authenticate ourselves in the digital world to confront cyber crime. FIDO aims to provide secure and user-friendly authentication solutions. 

Here are some key points about the FIDO Alliance and its mission:

Industry collaboration: The FIDO Alliance is an industry group that collaborates with various stakeholders, including technology companies, security experts, and device manufacturers. Together, they work to establish stronger authentication solutions for the internet.

Passkeys: The FIDO Alliance’s most notable contribution is the development and promotion of passkey authentication to protect sensitive information. Passkeys are a replacement for traditional passwords, based on FIDO standards. They are designed to enhance security and usability, reducing the reliance on static passwords that may leave a computer system vulnerable to a data breach.

Reducing attack vectors: The FIDO Alliance’s efforts are aimed at reducing common attack vectors, such as phishing attacks and man-in-the-middle attacks. By shifting the authentication process from passwords to passkeys, they have made it significantly harder for attackers to compromise user accounts.

Enhancing user experience: FIDO’s approach not only increases security but also enhances the user experience. Passkey authentication is more seamless, reducing friction for users while maintaining high-security standards. FIDO has teamed up with the World Wide Web Consortium (W3C) to develop the FIDO2 specification, a combination of FIDO’s Client to Authenticator Protocol (CTAP) and W3C’s Web Authentication (WebAuthn).

How does FIDO work?

The user’s client device creates a new key pair during registration with an online service. The device retains the private key and registers the public key with the online service. The device provides authentication by proving possession of the key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. 

Embracing the future of cloud security with SADA

password manager, device data, passkeys created, private key

The evolution of cloud security practices has been driven by the ever-changing threat landscape and the need for stronger authentication methods. The transition from weak passwords to passkeys and multifactor authentication is a significant step forward in the ongoing battle to protect our digital identities. Looking ahead, we see an increasing role for even more innovative security methodologies, including biometric authentication, cryptographic keys, and other apps and services designed to thwart cybercriminals every step of the way.

As users become more educated about the risks associated with traditional passwords and the tactics employed by hackers, we expect the adoption of passkey authentication and MFA to rise. These technologies not only enhance security but also provide a more user-friendly experience, offering users peace of mind as they manage Google accounts, third-party apps, mobile phones, and other devices.

At SADA, we understand the importance of devising the right identity strategy for your environment. We offer expertise in workspace configurations and best practices for strong authentication to stop cybercriminals before they can steal data. Through our partnership with Okta, we provide additional functionality to enhance your security. If you’re concerned about the security of your digital assets, reach out for a Cloud Security Confidence Assessment, in which SADA security experts perform a complete analysis of your system and its vulnerabilities.

Glossary of key terms

2SV – 2-step verification: A security process that requires users to provide two forms of verification before accessing an account, typically a password and a one-time code sent to a mobile device.

FIDO Alliance: An industry group dedicated to improving internet security through the development of stronger authentication solutions, including passkeys.

MFA – multifactor authentication: A security practice that requires users to provide multiple forms of authentication, such as a password and a fingerprint scan, to access an account.

Passkeys: A replacement for passwords, based on FIDO standards, that relies on a user’s device to confirm their identity to a server.

Passwords: Traditional alphanumeric codes used to authenticate users, which are increasingly being replaced by more secure methods.

U2F – Universal 2nd Factor: A security standard developed by the FIDO Alliance that allows for strong, public-key cryptography-based authentication.

LET'S TALK

Our expert teams of consultants, architects, and solutions engineers are ready to help with your bold ambitions, provide you with more information on our services, and answer your technical questions. Contact us today to get started.

Scroll to Top