SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
The old ways aren’t working – Let’s rethink our cybersecurity
Mon, 12th Sep 2022
FYI, this story is more than a year old

Our current methods of authentication are no longer fit for today’s digital landscape. Multiple reports suggest that phishing attacks are on the rise in Australia, with over 80% of organisations reporting at least one successful attempt over the past 12 months – or in other terms, one attack every eight minutes.

The Australian Signals Directorate and the Department of Home Affairs have a wealth of information on attacks and how to mitigate risk – but the fact remains that as organisations continue to evolve their digital footprint, more and more paths open up for bad actors.

It is imperative for organisations to question their security systems and evaluate if they are truly as airtight as they seem. In many cases, it may also be time to rethink legacy authentication methods like SMS, one-time passwords (OTPs), codes and passwords.

The vulnerabilities of passwords, OTPs and SMS codes

Experts have long warned about the fallibility of knowledge-based authentication such as passwords, OTPs and SMS codes. For example, former Microsoft chairman Bill Gates predicted the demise of passwords as early as 2004, citing that it cannot “meet the challenge” of keeping critical information secure.

At the core, knowledge-based credentials such as OTPs are human-readable and can be pried out of consumers’ hands by enterprising hackers. As we have seen with SMS OTPs, attackers can use SIM swapping techniques to get the code sent to their phones instead of the intended recipient. Today’s increasingly saturated digital landscape has also provided a rich environment for criminals to launch their attacks – over 80% of Australians shopped online in 2021, with that figure expected to double over the next five years.

Even good cyber hygiene will not suffice as cyber threats continue to evolve. The average user has almost 200 pairs of usernames and passwords, making it nearly impossible to remember and keep track. As a result, 53% tend to reuse the same password for multiple accounts or reuse passwords with minor variations. These poor hygiene habits make them vulnerable to account takeovers, with one leaked password putting all other accounts at risk.

While consumers absolutely need to exercise greater caution online, the ultimate responsibility rests with the online service providers, who must ensure their cybersecurity systems are robust and fit to protect their users. Thankfully, there are standards already available to help reduce organisations’ reliance on passwords.

Possession, not knowledge, based authentication should be the path forward

Instead of relying on knowledge-based “secrets” that can be easily stolen or otherwise hacked, the industry should move towards possession-based authentication techniques that are not susceptible to remote attacks. These techniques leverage devices that consumers literally have in their fingertips throughout the day, such as using their smartphone’s biometrics or by touching a security key. While this only requires a single gesture by the user, behind the scenes, an advanced cryptographic authentication dialogue takes place between a “private key” stored securely on the user’s device and its “public key” counterpart on the service provider’s server. By relying on advanced cryptographic algorithms instead of human recollection, the authentication process becomes far more secure.

The chances are that most of us have already used possession-based authentication in our daily lives. For example, using your face or fingerprint to unlock your smartphone and to access apps and websites. If you own a Windows device, you would likely have used your fingerprint or face to log in via Windows Hello.

More recently, Microsoft, Google, and Apple have announced plans to support a common passwordless sign-in standard, which would enable consumers to log into their accounts across devices and platforms without requiring passwords. This commitment by the industry’s biggest tech players signalled a massive step towards eliminating the world’s reliance on passwords.

The passwordless future is already here – we just need to get on board

The shift away from legacy authentication methods will not be easy. Old habits will need to be unlearned, and new ones formed. Nonetheless, it is clear that our current ways of authentication are outdated, and a significant overhaul is urgently needed.

The passwordless future is closer than ever – possession-based authentication is available in billions of devices and every leading web browser and operating system. Fortunately, most businesses are getting on board. Gartner predicts that 60% of large global enterprises and 90% of midsize firms will implement passwordless methods in the next few years. With the growing threats of cyberattacks across Australia and the world, it is high time to move toward a stronger, more convenient and passwordless reality.