Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Passkey Security. Show all posts

Why Passkeys Are the Future of Digital Authentication

 

Passwords have been a fundamental aspect of digital security for years, but they come with significant drawbacks. They are not only a hassle to remember but also vulnerable to various hacking techniques. Passkeys have emerged as a robust alternative, offering a more secure and user-friendly approach to account authentication. This new method utilizes your device, such as a smartphone or laptop, as an authenticator, employing either a PIN or biometric verification like fingerprint or facial recognition. 

The primary advantage of passkeys is that they eliminate the need for passwords entirely. This reduces the risk of phishing attacks, as there is no password for hackers to steal or guess. Additionally, passkeys are tied to the user’s device, making unauthorized access much more difficult. Without passwords to remember, users can enjoy a more streamlined and secure login experience. Major tech companies are already supporting the adoption of passkeys. For instance, setting up passkeys on a Google account involves visiting the Google Passkeys page and configuring the passkey with your device. Microsoft accounts can similarly be secured with Windows Hello or a PIN. Apple integrates passkeys with iCloud Keychain, making it easy for users to transition. These companies are not alone. Other platforms like Amazon, Adobe, Discord, eBay, GitHub, LinkedIn, Shopify, and WhatsApp have also embraced passkeys. 

This widespread support highlights the growing recognition of passkeys as the future of digital security. One concern with passkeys is the potential for losing access if the device is lost. Fortunately, most major tech companies allow passkeys to be synced across devices or securely stored in the cloud with end-to-end encryption. This means that users can restore their passkeys on a new device if their original one is lost. 

However, if a hardware security key is lost and not backed up, access to accounts could be permanently lost. Despite these concerns, device-based authentication is inherently secure. Modern devices are equipped with advanced security measures that make unauthorized access extremely difficult. Even if a device is stolen, the thief would need to bypass biometric or PIN verification to access sensitive information. Passkeys are stored in a Trusted Platform Module (TPM), ensuring that they are securely protected. In summary, passkeys represent a significant advancement in digital security. 

They offer a more secure, user-friendly alternative to traditional passwords, addressing many of the vulnerabilities associated with password-based authentication. As more services and devices adopt this technology, passkeys are poised to become the standard for secure online access. This shift not only enhances security but also simplifies the user experience, making it easier for individuals to protect their digital identities.

WhatsApp Announces Passkey Support for its Users


The modern digital landscape is witnessing an upsurge in cybercrime activities, and users can no longer rely on strong passwords to protect themselves. 

Thankfully, even on the best low-cost Android phones, biometric authentication is becoming mainstream and easily accessible. This has led to the adoption of passkeys for user authentication by a number of well-known social networking platforms and password manager apps. WhatsApp is the newest application to offer passkey support for all of its users after a month of beta testing. 

Passkeys replace conventional passwords with a unique cryptographic key pair, such that only the users can log in. Only after a successful biometric authentication, the key is made accessible to the respective users, negating the requirement for two-factor authentication techniques like OTP distribution through SMS and email. Passkeys shield users from the risks associated with password reuse and phishing attacks. Google disclosed the new technology supports more rapid user authentication after revealing support for passkey storage in its password manager.  

WhatsApp’s effort in adopting passkey technology came to light in early August. Also, beta testing on the same commenced in late September. 

Now, around a month later, WhatsApp announced support for passkeys was coming in the stable channel on X (formerly Twitter). The feature makes the login process significantly more secure by taking the place of the one-time password (OTP) sent via SMS. The app enables users to authenticate themselves using screen lock options, including their on-device fingerprint, face unlock, PIN, or swipe pattern. In the meantime, Google Password Manager automatically stores the cryptographic key. 

The login system, with no password requirement, turns out to be quite time-efficient for users when they are setting up WhatsApp on a new phone. Commendable enough, WhatsApp is also explaining to online users how passkeys work, in order to secure their accounts.  

Moreover, it is important for users to see the difference between passkeys for logging into WhatsApp and in-app features like WhatsApp chat lock, which still requires biometric authentication. Importantly, passkeys and passwords for traditional user authentication will both be available on WhatsApp.

However, WhatsApp has not yet clarified whether the feature will be made immediately accessible everywhere. Nonetheless, Passkey support, like every other major WhatsApp feature, is anticipated to be implemented gradually in the stable channel. But it is still great to see WhatsApp reiterate its dedication to user security and privacy with features like this.  

Overcoming the Escalating Challenge Posed by Session Hijacking

 

Businesses are increasingly adopting security measures, from passkeys to multifactor authentication (MFA), to safeguard sensitive information and bolster their cybersecurity. However, it's crucial for security teams to acknowledge that these measures may not provide comprehensive protection for user data.

As enterprises implement new defenses to secure their networks, cybercriminals are simultaneously evolving their tactics to bypass these barriers. They are employing techniques like session hijacking and account takeover to circumvent passkeys and MFA, gaining unauthorized access to corporate systems. This is exacerbated by the fact that these tactics are largely facilitated by malware, which poses a significant challenge to security efforts.

Malware operates swiftly and discreetly, pilfering substantial amounts of accurate authentication data, including personally identifiable information (PII) such as login credentials, financial details, and authentication cookies. Some malware is even beginning to target local key vaults, like those managed by password managers, many of which have implemented passkey solutions. Last year, there were over 4 billion attempted malware attacks, making it the preferred method for cyberattacks. Moreover, SpyCloud's "2023 Annual Identity Exposure Report" revealed that more than 22 million unique devices fell victim to malware, with the stolen data finding its way to criminal networks for use in various attacks.

While malware-exfiltrated data, encompassing business application logins and cookies for crucial systems, is becoming increasingly valuable to criminals, security teams lack the necessary visibility to effectively counter these exposures. Those who comprehend how malware operates and how cybercriminals employ stolen data are better equipped to confront this threat.

Session hijacking commences when infostealer malware, often distributed through phishing emails or malicious websites, exfiltrates device and identity data. When a user logs into a site or application, a temporary authentication token (cookie) is stored in the browser. 

Criminals can import this along with additional details to replicate the user's device and location, gaining access to an authenticated session. This technique is highly effective, even against robust authentication methods, allowing criminals to bypass authentication entirely. This grants them undetected access to sensitive information, enabling further data theft or privilege escalation for targeted attacks like ransomware.

Criminals recognize the potential of session hijacking and have developed tools like EvilProxy and Emotet to target authentication cookies. In the face of a threat that undermines key defenses, corporations must consider innovative approaches to combat cybercrime.

Overcoming the challenge of session hijacking is formidable but not insurmountable. The primary hurdle in defending against infostealer malware-fueled attacks is the malware's ability to avoid detection. 

Newer forms of malware can swiftly siphon data and self-erase, making it challenging for security teams to even detect an attack. Furthermore, infostealer malware can infect personal and contractor devices beyond the usual scope of the security team's oversight, making it exceedingly difficult to identify all instances of exposure.

Fortunately, both of these concerns can be addressed through heightened threat awareness and visibility. Organizations must educate users on infostealers, how to avoid inadvertently downloading them onto devices accessing the corporate network or critical applications, and how to routinely clear cookies from their browsers.

In cases where malware manages to slip through defenses, understanding precisely what information was stolen is crucial. This allows teams to identify compromised user credentials and authentication cookies that require remediation. Simply wiping the infected device is insufficient, as stolen data can be exploited long after the initial infection is resolved. Organizations must pinpoint compromised data and take proactive steps, such as session invalidation and password resets, to sever potential entry points.

Ultimately, a comprehensive malware remediation process hinges on knowing what data was siphoned by infostealer malware. IT teams should prioritize solutions that offer enhanced visibility to address security gaps caused by malware. Armed with this knowledge, teams can take measures to safeguard all exposed assets, including authentication data, preserving the company's reputation and financial well-being.