By Alex Wilson, Director Solutions Engineering Asia Pacific & Japan, Yubico
Our identities are no longer confined to physical documents in today's increasingly digitised world. With this momentous change, protecting our digital identities becomes increasingly crucial – and more complex.
Authentication, the process of confirming one's identity, has emerged as the linchpin of digital security and a significant factor in safeguarding digital identities. However, as the internet continues to grow and hackers become more sophisticated, legacy authentication options such as traditional usernames and passwords and even SMS-based one-time passcodes (OTPs) are no longer an option to stay secure.
To stay secure from these sophisticated threats like phishing and ransomware, it’s essential to understand the various authentication methods and their vulnerabilities – including the urgent need for a paradigm shift towards modern, phishing-resistant Multi-Factor Authentication (MFA) tools for organisations and individuals alike.
The Threats to Digital Identities
Digital identities grant us access to various services and resources in the online world. They define what we can do, where we can go and what we can access. It is worth noting that they are separate from the National Digital Identity system that the Federal Government is currently considering for Australians.
The degree of trustworthiness and security associated with digital identities varies, reflecting their value. Consider, for instance, the potential ramifications of a compromised identity. From financial fraud and data breaches to identity theft and extortion, the stakes are high and the implications are far-reaching.
The increasing sophistication of cybercriminals has birthed a plethora of threats to digital identities: phishing, vishing, pharming, and other deceptive tactics targeting users' credentials and personal data.
Non-payment and non-delivery scams exploit digital identities for financial gain, while personal data breaches expose sensitive information to malicious actors. The ramifications of these attacks are profound, enabling identity theft, extortion and even confidence fraud.
The Persistent Problem: Insecure Authentication
Ironically, while technology evolves rapidly, the most common forms of authentication still need to be more secure. Australia, lagging behind the global trend, still heavily relies on traditional usernames and passwords to authenticate – which we now know are highly susceptible to phishing and ransomware attacks if used as the only form of authentication.
Regardless of their size or sector, enterprises remain alarmingly susceptible to cyberattacks due to outdated authentication practices. There is a plethora of research to support these concerns that are stark reminders of the prevailing vulnerabilities.
Our Global State of Authentication Survey 2022 found that over half of ANZ employees rely on insecure authentication methods. Whilst the market intelligence report, conducted by S&P Global Market Intelligence, identified that 59 per cent of enterprises reported experiencing a data breach last year, and 91 per cent still rely on usernames and passwords as their main form of authentication.
"Attackers Don't Hack, They Login"
Recent high-profile breaches, such as those at Optus, Medibank, and Latitude Financial, underscore the ease with which cybercriminals can exploit weak authentication mechanisms to infiltrate organisations. These incidents illuminate a disconcerting reality: attackers often don't need to hack into systems or enter a business’s premises; they just use compromised credentials to gain unauthorised access.
Traditional authentication methods like OTPs or mobile authenticator apps, while providing an extra layer of security, are not infallible. These methods can still be susceptible to phishing attacks. To combat this, a more robust solution is needed. The Fast Identity Online (FIDO) Alliance's standards provide a compelling approach to modern authentication.
FIDO represents a revolutionary shift in authentication. The modern, phishing-resistant Multi-Factor Authentication (MFA) protocols it leverages prioritise high security without sacrificing usability. A great example of a phishing-resistant MFA solution that leverages FIDO and WebAuthn protocols are passkeys and hardware security keys, which store passkeys within a physical device.
The corporate world is poised to benefit immensely from adopting FIDO as the exclusive 2FA method. The concept of establishing trusted identities gains renewed importance in this context. Authentication hygiene becomes the cornerstone of the Zero Trust model, ensuring that access is granted only to those who can unequivocally prove their identity.
Call to Action: Urgent Implementation of Modern MFA
Enterprises must urgently reevaluate their authentication strategies. The prevalence of cyber threats demands the implementation of modern, phishing-resistant MFA. The pivotal role of MFA in safeguarding digital identities is underscored by its inclusion in Australia's Critical Infrastructure Act, encompassing a wider range of industries and imposing stringent reporting requirements. Additionally, the upcoming Australian Cyber Security Strategy 2023-2030 aims to address these challenges through proactive measures and industry consultation.
The Essential Eight, a set of cybersecurity guidelines, advises organisations to upgrade their authentication practices. Multi-factor authentication, classified as phishing-resistant, is central to this advice. It aligns with the recommendations of the Five Eyes Alliance, which Australia is part of, reinforcing its significance across international cybersecurity discourse.
A Secure Future with Security Keys
Transitioning to modern MFA should not come at the cost of user convenience. Identity management hygiene is essential to strike the right balance. While the path of least resistance may be tempting, it often compromises security. Users must recognise the intrinsic value of their digital identities and actively participate in protecting them. Phishing-resistant authentication methods are not futuristic concepts but accessible tools available today.
Embracing security keys as a modern authentication solution is essential. Security keys provide robust phishing-resistant authentication that fortifies organisations against data breaches and compromised credentials.
Even in the event of future phishing attempts, security keys ensure that cybercriminals cannot steal valuable data. The key to securing digital identities lies in the hands of organisations willing to transition to modern, phishing-resistant Multi-Factor Authentication. By doing so, they protect their assets and empower users to navigate the digital world with confidence and security.