Can’t We Just Get Rid of Passwords Now?
Shape Security and F5 Labs recently published the 2021 Credential Stuffing Report, which is the product of a multi-year collaborative research project that evolved from Shape’s original Credential Spill Report. This year’s report covers the lifecycle of credential theft in detail, from the original theft of usernames and passwords, through their sale and distribution among cybercriminals, to their eventual use for fraud. The report also makes it clear that credential stuffing remains an enormous problem that demands the attention and investment of the security community. This is not a problem that is going to go away or solve itself.
At the root of these problems are the systems that authenticate users with passwords. Passwords are inconvenient and create numerous security vulnerabilities, so why can’t we just replace them?
The short answer is: there’s not a better method—yet. Companies are beholden to their users, and while most users claim to value security over convenience, their actions speak otherwise. For example, even when users’ accounts are taken over, fewer than one out of ten will adopt multi-factor authentication (MFA) because of the associated complexity and friction.1
All authentication is a balance of usability, security, and deployability. To replace passwords, a new solution must equal passwords on all three fronts and exceed them on at least one. Trading off one set of advantages for another will not be enough to incentivize both organizations and users to switch.2
A Better MFA
A hypothetical solution to our maximization problem is invisible multi-factor authentication (iMFA). Unlike the MFA solutions of today, which typically rely on a password combined with an SMS or one-time-password via email or a physical token, iMFA would rely on factors that are invisible to the user. Specifically, iMFA would collect and process the maximum number of effort-free signals. Let’s break that down:
- Maximum number. Web authentication is converging on a non-binary authentication model where all available information is considered for each transaction on a best-effort basis. All of the context of a user’s interaction with a website can be used to grant the best visibility into a user’s risk profile.
- Effort-free signal collection and processing. Security should be provided on the backend, so it doesn’t impede customers. By providing security without customer impact, companies can mitigate threats at minimal cost without introducing friction and upsetting users. For example, most email providers have settled for approaches that classify mail based on known patterns of attacker behavior. These defenses are not free or easy to implement, with large web operators often devoting significant resources towards keeping pace with abuse as it evolves. Yet, this cost is typically far less than any approach requiring users to change behavior.3
iMFA could be implemented with a combination of tools like WebAuthn and behavioral signals.4 The credential storage and user verification can be securely provided by WebAuthn, and the continuous authorization can be augmented with behavioral signals. The traditional MFA factors—“something you know,” “have,” and “are”—come from WebAuthn. And the newest factor, “something you do,” comes from behavioral signals, including new types of biometrics. Further, generating this variety of signals requires just a single gesture from the user, which is far less effort than entering a password. By combining these methods, and constantly recomputing trust through machine learning, we can achieve the rare simultaneous outcome of increased security with decreased user friction.
An Interim Solution
But iMFA cannot replace passwords overnight. Change-resistant users will need a gradual transition. Websites will still have to incorporate a solution like WebAuthn into their authentication protocols. Without pressing urgency from a specific security threat, many sites will likely take their time adopting this standard. Furthermore, the integration process for a behemoth like Amazon could be extremely complicated, which is likely why there has been initial support from browser companies but not from e-commerce companies or social media sites.
If adoption of a new method will take years, what should businesses do in the meantime? Outlast the attackers by denying them their most precious resource: time. Attackers conducting credential stuffing are usually financially motivated and do not have infinite capital. If an organization can significantly increase the time it takes them to monetize their attacks, most cybercriminals will abandon the pursuit in favor of weaker targets.
Here are two examples in which businesses can introduce more time into specific steps of the credential stuffing kill chain.5
Make Credential Spills More Difficult to Decode
It might seem obvious, but every company needs to upgrade their password security methods. If passwords are being hashed with MD5, organizations need to upgrade to something more secure like bcrypt. This would ensure that when an attacker manages to breach their database, it will take a reasonable amount of time for attackers to crack the compromised credentials before they can even launch an attack.
Force Attackers to Develop Unique Attacks for Each Target
Suppose a sophisticated attacker has gotten their hands on 100,000 decrypted credentials that they are fairly confident no one else has access to, at least for the moment. The attacker knows that 100,000 fresh credentials should lead to, on average, around 1,000 account takeovers on a large website. Now, for such a sophisticated attacker, taking over 1,000 retail accounts might not be worth the several weeks of time it would take to develop, test, launch, and monetize the attack. However, it would be worth their time to attack multiple targets simultaneously, breaking into tens of thousands of accounts at once. The key would be to find companies that could be attacked using the same software—in other words, targets with similar infrastructure.
As a result, this attacker targets not just one company, but several simultaneously—in this case, a retailer, bank, social media company, and ride-hailing mobile app. They have developed an attack that targets the Android version of mobile apps that have been built on the same framework. Their attack is very sophisticated, not reusing any resource more than twice, evading any rate-limiting measure the targeted company has implemented. Yet, while the attacker was too sophisticated to reuse something like an IP address when attacking a single target, they didn’t think they would be caught recycling resources across different targets.
We know this is how attackers think because this exact situation occurred in 2018 to four of Shape’s customers. Because they all operated on a shared defense platform, an attack on one of them was, in effect, an attack on all of them. Because the attacker recycled resources and behavioral patterns across all four companies within a very short time period, Shape was able to very quickly gather enough data to identify the attack. Thus, bundling the attacks actually worked to the attacker’s disadvantage, but only because intelligence was shared across different targets.
It is impossible to detect 100 percent of attacks instantaneously 100 percent of the time. What is possible is to make attacks so costly that attackers give up quickly or don’t even try again. Cybercrime is a business—attacks are organized based on a predictable rate of return. If there is one thing that holds true across the worlds of cybercriminals and businesspeople, it is that time is money.