Before public cloud services, computing infrastructure was expensive, hosted on-premises, and reserved for big enterprises and universities. Now, anyone with a credit card can access an unlimited supply of cloud apps and computing power.
While cloud services offer many benefits, the accessibility of the cloud has also made identity attacks targeting passwords much more popular. The frequency of these attacks have increased sharply over the last few years, and as more services move online and the value of data grows, identity attacks will become even more popular.
How are hackers targeting passwords?
Hackers have a variety of techniques at their disposal. Exploiting vulnerabilities in software or deceiving users through social engineering are two common tactics, but brute-force attacks are gaining ground as automated bots. In fact, a recent report from Akamai indicates that “more than 40% of global login attempts are malicious, thanks to bot-driven credential stuffing attacks”. This increases the likelihood of attacks affecting your organization.
Two types of brute force attacks that target passwords are recently gaining ground:
- Credential stuffing: this attack takes advantage of users reusing credentials across multiple accounts (73% of passwords are duplicates). Most people have had account credentials compromised as part of a data breach. Attackers acquire credentials from a website breach and use bots to test these credentials into a variety of sites.
- Password spraying: this attack takes advantage of our tendency to rely on common passwords such as “password1” (which, according to Pwned Passwords, has appeared in a data breach over 2.3 million times!). Attackers use a dictionary of commonly-used passwords across many different accounts, which helps avoid detection.
Once attackers encounter a successful login, they either harvest sensitive data or execute the next stage of their breach.
How can we mitigate password attacks?
Given the popularity of these attacks, knowing how to mitigate them has become incredibly important. Although there's no one silver bullet to block brute force attacks, Here are two approaches towards mitigating password attacks:
A common approach is to configure systems to lock users out of accounts after they submit multiple incorrect passwords. And while this approach is useful, it still relies on password authentication, only slightly reducing the likelihood of account compromise. In addition, hackers could use this feature to affect your service availability by locking out legitimate users.
Adaptive multi-factor authentication (AMFA)
A more robust option is to use adaptive multi-factor authentication (AMFA) as part of the login process. AMFA extends the login process with additional security controls beyond just password validation. This includes validating the request context (i.e., employing geolocation, IP reputation, device, and behavior data), and requiring users to submit an additional verification factor. These factors might include something the users owns, like a security token, or something unique to the user, like a fingerprint.
By tweaking your security policies with Adaptive MFA, you can give customers an effective balance of usability and security. So instead of blanket policies that frustrate users, the login process (deny, MFA, or allow) is a direct result of the associated risk.
Using AMFA, Okta has developed several specific mitigation strategies that customers can employ based on their business scenarios and trade-offs. These include:
Implementing MFA for Employees and Partners can drastically mitigate the risk of account compromise due to password attacks. Since Okta is able to implement MFA on top of federated authentication, you can also extend the MFA to partners, regardless of which identity solution they currently use.
Limiting MFA enrollment only on higher assurance reduces the likelihood of compromise during the MFA enrollment. You can limit MFA enrollment to specific conditions such as only allowing enrollment when the user is logging in from your intranet.
Denying login attempts and lockouts based on geolocation such as the user country. I.e., access from Brazil for an employee in the USA group.
Blacklisting atypical networks reduces login attempts from locations you don't expect access from.
In addition, customers can request support to turn on additional protections such as preventing access from unknown or malformed user agents.
You can even use Adaptive MFA to go passwordless! Factor sequencing allows you to set any combination of strong authentication factors. For example, you could use Okta Verify as the primary factor that enables users to log in with a single tap on their smartphone. If Adaptive MFA detects high risk at the time of the login request, it can then prompt the user to submit a second factor, such as a hardware token or biometric identifier.
Configuring Adaptive MFA in this way helps with mitigating identity attacks and makes it much harder for hackers to gain access simply by guessing passwords. But just as important, it also provides users with a frictionless authentication experience that gives them easy access to the data they need.
Interested in these options? Contact us for help on implementing the right strategy for your organization to protect your users against identity attacks. You can also learn more about Adaptive MFA by downloading our Multi-factor Authentication Deployment Guide.