A Password-less Future
A password-less future is on the horizon. The days of remembering 5 different passwords for 5 different systems are already over, and the days of using passwords at all are already numbered.
In fact, Google has already reported cutting credential theft down to 0 since enforcing their Security Key policy in early 2017. How does this future work? Are you ready to embrace it?
Credential theft from phishing emails is nothing new, but it is still the single largest threat facing most organizations. It is difficult to defend against because it relies on every employee making the right decision, every time they are presented with a phishing email. As a defender, we try to reduce risk by restricting user permissions, implementing user training, and deploying Multi-factor authentication. These security layers help defend against credential theft, but they leave the door open for attackers to evolve their techniques in the future.
How can we prevent credential theft forever?
Phishing for credentials has one goal: to trick the target into giving the attacker their username and password. The only way we can guarantee that these attacks won’t work is by not relying on passwords at all. That’s where a new form of multi-factor authentication, known as Universal 2ndFactor (U2F), comes in to play. U2F relies on a physical Security Key rather than a password to authenticate the user to the site they want to access. Once the Security Key is connected to the user’s account, they never have to use a password to login again.
U2F is an open source standard that was created by Yubico and Google in 2012 and has been gaining popularity ever since. The World Wide Web Consortium (W3C) began standardizing an API for web sites to manage authentication with U2F in 2016. Since then many major web service providers, including Google, Salesforce, and Duo Security have adopted the standard. Some web browsers (Chrome, Firefox, and Opera) already fully support U2F, while others (Edge, Safari) are in various stages of implementing the standard.
What can you do now?
Have a plan to centralize identity management across your organization. Google and Microsoft (depending which cloud platform you use) are common choices for this. Other companies, such as Duo Securities, OneLogin, and Okta are also popular choices. Each provider has a slightly different look and feel, so be sure to choose one that works for your users. The more sites that are protected by the same identity provider, the greater protection you will achieve by deploying U2F when it is available.
The best defense against credential theft right now is app-based multi-factor authentication. This should be deployed already, if it is not it should be the highest priority project on your technology plan. The same benefit for a centralized identity management provider applies to multi-factor authentication as well.