#Infosec2024: Why Credential-Based Attacks Need Modern Solutions

The evolving and innovative tactics cybercriminals use to steal login credentials highlights the urgent need for organizations to adopt modern security methods for their employee accounts. This includes considering the integration of secure passwordless authentication methods.

Credential theft often provides the most straightforward way for attackers to infiltrate organizations. This can be achieved in a variety of ways, from compromises of third-parties that hold their credentials to phishing attacks on individual employees. Many threat actors have also become adept at bypassing common multi-factor authentication protocols.

Even password managers, frequently advised as a best practice method for creating and storing secure passwords, are not infallible, as shown by the breaches of password management giant LastPass in 2022.

Yet there are tools and methods available that can reduce the chances of credential theft occurring – it is about rolling them out.

Passwordless Technologies Are Here

Passwordless technologies don’t necessarily come to mind when thinking about password managers, but Steve Won, Chief Product Officer at 1Password, told Infosecurity that the company is keen to promote the use of these tools on its platform.

New users can create a 1Password individual account using a passkey as of December 2023, meaning they don’t need to memorize a password for their master account.

Passkeys, which are based on FIDO Alliance standards, are more resistant to compromise than using a combination of a password and MFA option because they are tied to a user account and a website or application.

Additionally, developers only need to save a public key to the server instead of a password, meaning there’s far less value for a bad actor to hack into servers.

1Password provides a service called Passage, allowing businesses to implement passkeys into any app or website with just a few lines of code.

This feature comes as a number of tech giants, including Google and X, have expanded the availability of passkeys for users.

Won explained that 1Password has also taken steps to improve the interoperability between different systems.

“What we realized when passkeys were initially launched is that while Apple, Google and Microsoft collaborate in the FIDO Alliance, they’re making different choices because they take into account different user experiences and different architecture,” he noted.

“We saw an opportunity to take the lead in user experience and say for passkeys to be widely adopted, we have to recognize the fact that people use a myriad of devices,” added Won.

Won said over 700,000 passkeys are currently saved by 1Password on its service. Businesses benefit from the use of passkeys as they accelerate sign up and sign in time for customers, improve user experience, and mean users spend less time worrying about threat mitigation.

Managing the Use of Unauthorized Apps

The need for modernized authentication methods has been exacerbated by the expansion of apps and tools used by employees to access business systems, amid the shift to remote working.

Recent research by 1Password found that one-in-three employees (34%) use unapproved apps and tools to boost productivity, a phenomenon known as shadow IT. This results in significant security risks to businesses.

Won noted: “The risks that exist for businesses is they don’t know what their span of control is, and you can’t secure what you don’t know.”

The growing use of generative AI tools, such as ChatGPT, has increased the security risks for businesses, including employees uploading sensitive company data onto a public large language model (LLM) platform.

Won emphasized that using external tools can significantly enhance productivity, and instead of preventing their use, businesses must find ways to enable their secure use.

The first stage is empowering employees to use secure log ins into these tools and applications, such as passkeys.

The other is gaining visibility into the apps and devices. Won highlighted 1Password’s new Extended Access Management software, which is designed to give companies the ability to view and manage unsanctioned apps and websites.

Infosecurity Europe 2024

1Password will be exhibiting at Infosecurity Europe 2024, taking place at the ExCel, London, from June 4-6. Register here to ensure your attendance.

Additionally, 1Password’s Director of Engineering, Anna Pobletts, will be speaking during the Women in Cybersecurity event at Infosecurity Europe, which is taking place from 15.00 on Wednesday June 5 on the Keynote Stage.

Check out the rest of the Infosecurity Europe conference program here.