Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label passkeys for account protection. Show all posts

Passkeys Aren't Foolproof: New Study Reveals Vulnerabilities in Popular Authentication Method

 

Despite their growing popularity, passkeys are not as secure as many believe. According to Joe Stewart, principal security researcher at eSentire's Threat Response Unit (TRU), many online accounts using passkeys can still fall victim to adversary-in-the-middle (AitM) attacks. This issue stems not from the passkeys themselves but from their implementation and the need for account recovery options. Passkeys, a password-less authentication method, aim to provide secure access to online accounts like banking, e-commerce, and social media. 

However, an eSentire study found that poor implementation of passkeys, such as less secure backup authentication methods, allows AitM attacks to bypass this security. In these attacks, the adversary modifies the login prompts shown to users, controlling the authentication flow by altering the HTML, CSS, images, or JavaScript on the login page. 

This manipulation can make the passkey option disappear, tricking users into using less secure backup methods like passwords. Stewart's research demonstrated how open-source AitM software, like Evilginx, can deceive users of services like GitHub, Microsoft, and Google. By slightly modifying scripts (phishlets) that capture authentication tokens and session cookies from real login pages, attackers can make users believe they are on the genuine site. 

The attacker then captures the user's credentials and authentication tokens, allowing them to maintain access to the account. The study highlights that most passkey implementations are vulnerable to similar attacks. Backup methods such as passwords, security questions, SMS codes, and email verifications are prone to AitM attacks. Only methods like social trusted contacts recovery, KYC verification, and magic links offer better protection, though they can be cumbersome. 

To enhance security, Stewart recommends using multiple passkeys, including a FIDO2 hardware key, which is secured by a PIN. As passkey adoption grows, magic links remain a secure backup method for account recovery in case of passkey loss or AitM attacks. While passkeys offer a promising alternative to traditional passwords, their current implementation can leave accounts vulnerable. Users and developers must adopt stronger backup methods and remain vigilant against AitM attacks.

Avoid Using Master Password Across Multiple Accounts, Advises Security Experts

 

A recent online poll conducted by Security.org indicates that the adoption of password managers in the United States has seen a significant increase.

The survey, which involved 1,051 American adults, revealed that one in three Americans now utilize password managers, a notable rise from one in five in the year 2022.

Users are turning to password managers for a variety of reasons. These include the need to oversee multiple accounts spanning different devices, a desire for the enhanced security that these tools offer, and a wish to alleviate the burden of memorizing complex passwords. 

While the majority of users install this software on their mobile phones, there has been a consistent uptick in the installation of password managers on laptops, desktops, tablets, and other devices.

The report from security experts highlights that this year, a significant three-quarters of subscribers utilize vaults on personal computers, and 71 percent extend their usage across various devices. 

Notably, with remote work and the prevalence of cloud databases in corporate settings, the professional use of password managers continues to rise. This year, the study found that 58 percent of adults utilize these services for employment-related credentials, marking an increase from 50 percent in the previous year.

Google Password Manager and Apple's iCloud Keychain have emerged as the most favored password managers. This popularity is attributed to their built-in functionality, practicality, and cost-free nature. While LastPass enjoyed widespread use two years prior, its popularity took a substantial hit due to data breaches in 2022 and 2023.

Users have clear expectations from password managers. They seek convenience and user-friendliness, as well as additional security features such as biometrics and offline backup. Furthermore, they prefer options that are either free or reasonably priced, and are inclined towards brands they are familiar with and trust. Recommendations from acquaintances and positive online reviews also carry significant weight in influencing their choice.

Despite a noteworthy 71% of non-users expressing a consideration to adopt a password manager in the future, a sizeable 29% remain hesitant. Reasons for this reluctance include doubts regarding the necessity, concerns about potential risks, and perceptions of complexity or high costs, as noted by the experts. 

The report underscores that wider public awareness, education, and firsthand experience may persuade more Americans to transition away from memorization and physical note-taking towards the growing community of satisfied users who are better safeguarding and organizing their online credentials.

While the survey shows an overall increase in the adoption of password managers compared to the previous year, it also brings to light a concerning trend. A notable 28% of users admit to using their master password for other accounts, which represents a rise from 19% in 2021 and 25% in 2022. 

Security.org experts caution that this practice poses a particularly high risk, as hackers who gain access to a reused password from a third-party breach could potentially compromise all of a subscriber's logins within their password manager.

The report emphasizes the importance of crafting master passwords that are both long (to resist cracking), memorable to the user (but not easily guessable by attackers), and most importantly, unique. The survey also reveals that 10% of respondents have utilized or are currently using security keys and passkeys to fortify their accounts. 

However, despite these advancements, six out of ten Americans continue to rely on insecure methods such as memorization, written notes, browser storage, and unencrypted files to manage their credentials.