November 2020

Trade-offs behind corporate account security

Artem Torubarov
Cores product lead
Keeping company information private is essential. But it is not an easy task to achieve. The security breaches statistics are increasing every year. This year, when everybody is moving their business online, the statistics are terrifying.
A couple of numbers from 2020:
  • The percentage of organizations affected by a successful cybersecurity attack jumped from 78% to 80.7% (acc. to CyberEdge);
  • 86% of affected organizations had phishing attacks, 26% were impersonated and 19% had malware (acc. to UK digital department);
  • over 67% of breaches caused by credential theft, social attacks (i.e., phishing and business email compromise), and errors (acc. to Verizon).
This article is about Identity and Access Management (IAM) — the first line of defense from cyber enemies. You will learn about existing approaches on account security with its strengths and weaknesses against known attacks. This knowledge will help you to pick the right combination of security factors for employee accounts in your company. Most importantly, you will have an understanding of underlying trade-offs related to security, usability, and price.

Passwords

Passwords are the most basic identification method. It is also the most accessible method — many software products provide it out of the box. No additional software or hardware is required for password authentication. The essence of passwords described below:
"User sets a password to the system. The system stores it along with a user ID in a database. Then, anyone who provided ID and password matching to the database is identified by the system".
This highlights 3 major problems with passwords:
1
Problem: Having a database with passwords gives an opportunity for attacks on it.
A successful attack on the password security system will expose all corporate accounts. Of course, modern solutions are not storing passwords as plain text. Instead, passwords are hashed and salted that still not making it impossible to crack. To be secure, such solution should be kept up to date, monitored, be bug-free and shouldn’t have vulnerabilities. All of these are not easy to achieve and bring hidden costs to your business.
Data breaches exposed 27 billion records only for the first half of 2020. These records contain emails, phones, and passwords. You can check if your account was leaked.
2
Problem: It is up to users to create reliable passwords, remember and keep in secret.
Users are afraid to lose passwords and prefer to store them somewhere: on sticky notes, in notepads, by sending an email or WhatsApp messages to themselves, or in some public cloud service. All of these places add opportunities for attacks and you cannot rely on the security of these systems.
Most of the systems allow configuring password policies forcing users to create strong passwords, change it every month, and block after N failed login attempts. Strong password reduces the risk of brute-force attack and monthly change will invalidate potential credential leaks but only for the previous month. This small improvement along with increasing security brings hidden costs to your business.
Nothing describes it better than a picture:
Strong password policies lead to high amounts of IT support tickets (up to 50% of all tickets). Employees with blocked accounts are not able to do their work until their ticket will be resolved. On the other hand, using memorable 'qwerty123' as password makes you vulnerable to brute-force attacks.
Brute-force attacks
A brute-force attack is an automated process of guessing target password by iterating through the list of most popular password combinations. It is one of the simplest and the most popular attacks — 80% of hacking breaches involve brute force or stolen credentials. Login attempts limitation, CAPTCHA, and strong password policy are very effective against such attacks even though this also makes employee’s life more difficult.
Another variation of brute-force attack is credential stuffing. The difference is that it uses credentials that have been compromised in data breaches. In other words, it is a bad idea to use the same password for Facebook and work accounts. Monthly password change reduces the risk of such attacks but it is still hard to control that users are not using the same password across all accounts.
3
Problem: Knowing the password is just enough to gain access.
Let’s imagine that someone has stolen your passport. This person won’t be able to use it unless he or she will look exactly like you. But that’s not true for the passwords. Stealing a password will be enough for the criminal to fully act on your behalf. That’s why the biggest attack vector is aimed at users and their passwords and it’s called phishing attacks.
Phishing attacks
Phishing is part of social engineering attacks which are aimed directly at users. The goal of phishing is to trick users into making security mistakes or giving away sensitive information.
Couple examples of phishing:
  • fake email asking to refresh password by a given link;
  • fake login pages;
  • calls from fake IT-support.
There are only 2 ways to protect against phishing. The first one is education and security training for your employees which is quite expensive and can’t be 100% effective. The second method is not to use passwords and any other identification based on something that the user knows (Knowledge factors) alone. Later we will observe other identification methods based on other factors like something only the user has (Possession factors) and on something only the user is (Inherent factors).

Password managers

Password manager (PM) is a piece of software that stores all user passwords in one place protected by a single password. Besides this, modern PMs provide a convenient way to generate and refresh passwords, to automatically pass it to the browser via special browser extensions, and to sync passwords across all user devices over the cloud. This UX should encourage users to create more complex passwords and to not store passwords outside of PM. Another positive effect is that PM should reduce the number of "restore password" tickets in IT-support.
And what about drawbacks? The biggest drawback is that password managers are tied to password security methods which are very vulnerable to a wide range of attacks. Besides, PM only helps users to manage passwords. Users can still write passwords on sticky notes or send them to a colleague via email. And the last concern is the safety of the PM. A successful attack on PM cloud service will expose all accounts in your organization so it should be rock solid and not contain any bugs and errors. Best PM solutions cost money and there is no guarantee that they are bug-free.

Recap on passwords

Passwords are cheap, always accessible, and easy to implement, but they are very vulnerable to all types of attacks — 81% of breaches caused by passwords attacks. Strict policies may partially help with brute force attacks but also bring hidden costs to IT-support and pain to employees' daily routine. Password manager software solves employees' struggle but costs money and can become an additional target for hackers. Finally, it’s really hard to defend passwords from phishing attacks.
The next section will cover 2-factor authentication methods which brings additional levels of security to passwords.

Two-Factor authentication

We have already mentioned authentication factors in terms of passwords and phishing. Passwords are a knowledge factor — something that only the user knows. But relying on a single knowledge factor alone makes your system vulnerable to a wide range of security threats. That’s where two-factor authentication (2FA) becomes handy.
A famous example of 2FA is a money withdrawal from an ATM: it requires a knowledge of a PIN and possession of a bank card. This section covers possession factors that, combined with passwords, dominate today’s 2FA market. Possession factors are represented by two big groups of solutions: hardware-based and software-based.

Hardware-based solutions

Hardware 2FA can be imagined as USB sticks containing the users' secret keys with no direct access to these keys. Users can plug-in USB sticks only to authenticate. They can’t read or copy any information from it. This type of solution uses public-key cryptography, meaning that the secret key does not leave the USB stick even during the authentication process. All of the above makes it one of the most secure authentication methods. For example, Yubico — manufacturer of the most popular hardware solution — claims that they have zero account takeovers! The explanation is simple. It will take an infinite amount of time to guess the private key stored in the USB stick — that gives no chances to brute-force attacks. As users don’t know their secret keys and have no access to them, so phishing attacks are also impossible.
Any drawbacks? Well, yes. The biggest weakness of hardware solutions is the price. The second one is the UX. Leaving USB-stick at home makes you unable to authenticate at the office or during the whole business trip. Finally, I should mention that hardware solutions are not 100% secure. Physical theft is kryptonite for hardware keys.
Physical theft attacks
The name speaks for itself. It is when a criminal steals your device. Physical attacks are the rarest, as they put the attacker at high risk. It is much nicer to perform an attack being 1000 miles away. Physical security like guards, locks, and surveillance cameras are the best defense from physical thefts. A policy requiring employees to take their device home every night and keep their tables clean may also help.

Software-based solutions

Software authenticators are a very cheap alternative to hardware keys described earlier. It is a mobile or desktop app. Once synced with the server, it generates one-time-passwords (HOTP or TOTP) that are later entered by the user during login along with the main password. The best part is that after initial synchronization with a server, the authenticator app works offline. There is a free and open-source solution from Google.
Ok, it provides 2FA and, unlike hardware, it is free, so what’s the catch? The thing is that, unlike public key-based hardware, software authenticators are using passwords. Even though these passwords are one-time, they are still vulnerable to phishing. This fact makes software-based solutions significantly less secure than hardware-based. But, according to Google security report, they are still 100% effective from brute-force attacks. It is worth noting that, unlike normal passwords, one-time-passwords are resistant to a replay attack the subtype of man-in-the-middle attacks:
Man-in-the-middle (MITM) attacks
The goal of MITM attack is to steal personal information, such as login credentials. To do so, the criminal sets up a malicious WiFi hotspot and waits for someone to join it. Then the criminal sniffs all traffic and extracts the victim’s passwords, card numbers, and other credentials. Accounts, protected by one-time-passwords, cannot be stolen by such attacks. The best protection from MITM is not using public WiFi and visiting only protected HTTPS websites.

SMS and email codes

SMS and email codes are the most recognizable variation of 2FA. Like software authenticators, it is based on one-time-passwords, so it has the same list of vulnerabilities. But being almost the same from a security perspective, SMS or email codes authentication is not free because it requires having a dedicated SMS-gateway or mail server. Also, security of email-codes is tied to the user’s email account, which means hacking email is enough to gain access to the account. However, SMS/email-codes have one advantage over other software authenticators: there is no need to install an app to start using it. This fact makes it suitable for customer identity usage but not so relevant for workforce identity.

Recap on Two-Factor authentication

2FA significantly increases security by eliminating brute-force and man-in-the-middle attacks. The software-based solutions are free but not resistant to phishing. SMS or email-based solutions are the same in terms of security but they cost money. The good part is that users don’t need to install an app to receive SMS or email, so this solution is more relevant for the customer identity segment. The last popular 2FA option is hardware keys. It is top-notch security because of public-key cryptography usage. This feature makes it invulnerable to phishing attacks. The drawback of hardware keys is the high price. Also, it is worth mentioning that introducing 2FA is hurting UX. Employees will need to bring a mobile phone or a USB stick to be able to log in.

Passwordless

We learned that passwords are insecure and need to be used with other authentication factors for a decent level of security. But if they are so vulnerable, will it be better to not use passwords at all? The answer is yes. Hardware keys or one-time-passwords, described earlier, used alone provide passwordless authentication. Let’s check what else is there on the market.

Magic links

Magic link works exactly like a password reset. Instead of entering passwords, users specify their email address or phone number and receive a link via email or SMS. Once the user clicks that link to authenticate, they are redirected back to the application or system having successfully signed in.
Such a magic flow provides nice UX — users don’t need to remember and manage multiple passwords from different accounts. They just need access to their mail or phone. This benefits companies by reducing IT support costs. Since no password storage and management is needed IT teams are no longer burdened by setting password policies, detecting leaks, resetting forgotten passwords. The absence of passwords makes this method insensitive to brute-force attacks which gives it a better security compared to passwords.
But magic links have drawbacks. Having such a link is enough for the criminal to gain access to a system. This makes the whole system vulnerable to man-in-the-middle and phishing attacks. The other consideration is that magic links security is tied to the user’s email account. A successful attack on a mail server will expose all other organization accounts. That’s why it is a good idea to combine multiple authentication factors. For example, use one-time-passwords along with magic links.

Biometrics

Biometrics represents a new kind of authentication factor — inherent factor — something that only the user is. Fingerprint scanner and facial recognition are common examples of biometric authentication, both of which are widely supported in modern smartphones and laptops.
Biometrics are unique, unforgettable, and can’t easily be shared. It is the most natural and easiest way to authenticate a user. Biometric authentication is resistant to brute-force, phishing, and MITM attacks.
But there is one big NO about biometrics. They cannot be changed. Once criminals get a copy of your fingerprint you won’t be able to use it for a lifetime. And doing so is much easier than you may think. In 2015 5.6M US federal employees' fingerprints were stolen by hackers. But data breach is not the only way to steal biometric data. Here is the demonstration of how to obtain fingerprints from high-resolution photos.
So it is a bad idea to rely on biometrics as a single authentication factor. But it starts to shine in combination with the other factors. Seamless UX of fingerprint combined with data-breach-resistant hardware keys or one-time-passwords provides a high level of security. WebAuthn is another good combination using biometric factors.

WebAuthn

The WebAuthn (short from Web Authentication API) is a specification written by the W3C and FIDO. The idea behind the specification is to allow websites to use connected devices (hardware keys) or underlying system’s security (ex: TouchID, FaceID) for authentication through the standard web browsers API. The best part is that WebAuthn specification is based on public-key cryptography meaning that nobody, including the browsers, does not have access to users' private keys.
Simply put, WebAuthn enables users to authenticate on websites using TouchID or FaceID or any connected device implementing FIDO2 standard.
Here is an example of how it works on a laptop or smartphone equipped with TouchID:
1
To be able to use WebAuthn, users need to register their device. Commonly, this process is done via email link. The user receives the link, opens it in the browser. The browser prompts users to activate TouchID to create and exchange key pairs. This step allows users to associate multiple devices with a single account.
2
Once registered, users can use TouchID for the login. If users are not authenticated on the website, they will be prompted to activate TouchID right in the browser. In the case of WebAuth, biometrics are not used for authentication. Instead, biometrics are used internally by devices (laptop or smartphone) to grant access to private keys which in turn are used for authentication.
Now, when we understand what WebAuthn is and how it works, let’s discuss its benefits and drawbacks. First of all, equipped with biometrics, it provides the best UX across all existing authentication methods. Using TouchID saves a lot of time for employees and IT-support. Secondly, using public-key cryptography puts it on the highest level of security. Public-keys makes it invulnerable to all kinds of attacks except for physical theft. Which also becomes more difficult because of biometrics.
So WebAuthn is the most user-friendly and fairly secure authentication method. But there is no silver bullet. One of the drawbacks is the price. To implement WebAuthn in your organization you should either equip employees with expensive laptops and smartphones supporting biometrics or provide connected FIDO2 devices (ex: yubikey) to them. The second problem is the security of the device registration process. If it is done by email, then WebAuth security is tied to the user’s email. Cracking a user’s email will be enough to gain access to the whole system.
The last problem is that WebAuthn is a quite new standard so it is not fully supported by all browsers:

Cores

Cores is our vision on corporate accounts security. It is a passwordless login solution based on public-key cryptography and biometrics, similar to WebAuthn. The Idea of Cores is to turn any smartphone equipped with a camera into a secure wallet for employee accounts by installing an app. The app will be used for authentication. Instead of typing in credentials and codes, employees will have to unlock a mobile wallet via biometrics or a PIN and scan QR-code in a browser.
Here is an example of how it works in real life:
1
As always, the first step is registration. After installing the app on their smartphones, employees should receive corporate credentials on it. This is done by scanning unique one-time QR-codes. Such QR-code can be sent to employees' work email or printed on paper. For better security, it can be done in person by visiting the security officer’s office. When the smartphone scans the QR-code it creates a key-pair and sends the public key to the server. This public key will be associated with the employee account. And the private key will be securely stored in the employee mobile app and used for authentication.
2
Once registered, users can authenticate in corporate websites and apps by scanning QR-code with their smartphones. Authentication is based on public-key cryptography which means that private keys never leave the phone. The best part is that smartphones are not sending any data to the browser, even if this data is not private. After scanning the QR-code, the smartphone establishes a direct connection with the authentication server. This approach eliminates risks associated with browser vulnerabilities and malware in javascript code.
Now, let’s go through the threats list. Like WebAuthn, Cores is based on public keys cryptography, making it invulnerable to all kinds of attacks except for physical theft. But today, smartphones contain a lot of private information and are used for payments. So people tend to keep them close and quickly notice the loss. The registration process is not tied to email so you can vary usability with security risks. The main difference is that Cores has low requirements on devices and can also be used to authenticate in mobile and desktop apps. Employees just need to have a simple iOS or Android device with a camera, and they can authenticate in any app or browser on any device, including PC, laptop, and mobile.
But what about drawbacks? Cores sacrifices UX for compatibility. Ok, employees can log in everywhere with their old smartphones, but they will need to unlock and open the app then scan QR-code with the camera instead of simply putting their finger on the laptop scanner.

Final thoughts

According to the last CyberEdge security report, 80.7% of organizations were compromised by at least one successful attack in 2020. So it is time to review your corporate account security methods. It is extremely dangerous to rely on passwords alone.
If you are low on budget, I strongly advise adding software-based two-factor authentication.
There are completely free and open-source solutions like Google Authenticator. It will significantly reduce overall security risks by protecting from brute-force attacks. However, it will not protect from phishing — the most common attack. So it is also recommended to train employees on how to counter phishing and set up strict spam filters on your mail servers.
The best level of security can be provided by public-key-based solutions.
Public-key cryptography is invulnerable to most existing attacks by design. So I highly recommend taking a closer look at WebAuthn combined with biometrics or hardware keys and to our solution. After moving to public-key solutions, the only concern of your security department will be the safety of devices storing the private keys (smartphones, laptops, hardware keys). But physical theft is very unlikely and easy to detect. In these rare cases, you will have plenty of time to revoke compromised keys and accesses, while criminals are busy hacking the device's biometric protection.
Security is always about trade-offs. In most cases, you exchange price and UX for safety. For example, adding policies to passwords increases safety but hurts user experience and brings costs to IT-support.
Software authenticators are good for security but employees are burdened with typing in codes and using a mobile app for login. WebAuthn is definitely the best in terms of safety and UX but it requires having expensive devices for employees. Cores was designed to provide the same safety as WebAuthn with almost no requirements on devices, which makes it more affordable but less user-friendly.
Now it is up to you to decide which one suits your company more. Ask yourself, what level of security is acceptable for your organization, and how much money and UX are you willing to trade for it.
If you like this article, tell your friends about it. Thanks!
Our contacts
Feel free to contact us. We really love to communicate with our clients.
Made on
Tilda