editor ’ s question
VENU VISSAMSETTY , VICE PRESIDENT SECURITY RESEARCH
AT ATTIVO NETWORKS
asswordless
P authentication is an authentication mechanism where users can authenticate without typing in passwords , 2FA , or one-time passcodes . Passwordless authentication is common in newer versions of smartphones that support Touch ID and Face ID and allows login without typing passwords .
Eliminating passwords minimises the risk of breaches and lowers the cost of ownership . It reduces the burden of managing password policies , password expiration , password reset , etc . Due to complex password policies , people tend to reuse passwords across different accounts .
Passwordless authentication helps organisations defend against :
1 . Brute force attacks – Attackers use a combination of various passwords to gain account access .
2 . Credential Stuffing attack – A type of attack where compromised credentials are used to gain unauthorised access using automation .
3 . Password spray attack – An attack that attempts to login to a large number of accounts with few commonly used passwords .
4 . Spear Phishing attacks – Email spoofing attacks where users are convinced to provide user login credentials .
Passwordless authentication works well for end-user authentication . Most of the vulnerabilities associated with passwords will decrease as there are no credentials to steal or hack and improve overall cybersecurity .
Organisations also deploy a large number of non-human accounts known
?
as service accounts . Windows systems use managed service accounts to deploy services , cloud providers need service accounts to run workloads , provide permissions to service accounts to access cloud resources , etc .
An attacker who gains access to these service accounts will have full access to resources that the service account has access to . Organisations should complement passwordless authentication by deploying a central secret vault store and rotate secrets for service accounts . Rotating secrets for service accounts minimises risk and improves organisation security .
While passwordless authentication and central vaults significantly reduce the risk , organisations should be on the constant lookout for ransomware and other forms of attacks that propagate inside the network after stealing user identity . Attackers , once they get a foothold on the endpoint , quickly map and enumerate the environment , locate mapped network shares , domain controllers , access to cloud infrastructure , etc .
Attackers can compromise service accounts , perform exploitation to gain remote access and deploy ransomware across the network . Impersonating service accounts using Keberos Silver Ticket attack is one of the popular attacks performed by attackers .
Similarly , the recent CVE-2020- 1472 ZeroLogon vulnerability allows attackers unauthenticated access to domain controllers . A pair of zeroday vulnerabilities in Google Chrome ( CVE-2020-15999 ) and Microsoft Windows ( CVE-2020-17087 ) are being chained together and exploited to gain administrator access to a system . Organisations investing in passwordless authentication should continue to focus on detecting and minimising damage from attackers targeting postauthentication exploitation . Nevertheless , of these attacks , passwordless authentication is a good beginning to eliminate and reduce the attack surface and improve cybersecurity . u
30 www . intelligentciso . com