By Tripp Smith, President & CTO, authID.
Social engineering attacks exploiting legacy Multi-Factor Authentication (MFA) technology have been successful in compromising Twilio, Cisco, Intuit, and other enterprises, this summer. Even as CISOs and IAM Architects supplement passwords with MFA, hackers are finding new ways to exploit the human element of security. Out of 4,110 breaches studied in the 2022 Verizon DBIR, the human element was the root cause of 82%.[1] Clearly securing authentication would be much easier “if it weren’t for the damned users.”
Here are the details of these recent, high-profile MFA social engineering attacks:
Authentication is approaching a fundamental change: after 61 years of passwords, we are now focused on eliminating them with cryptographic FIDO2 Passkeys, which bind authentication to a user’s devices. While replacing “something you know” with “something you have” will undoubtedly be an improvement, shortcomings remain. In the case of the Cisco breach, once the hackers compromised the user’s credentials, they enrolled and redirected step-up to new devices — device authentication was now something the hackers had, not the user.
authID’s Verified™ binds identity to the Passkey on the user’s device by capturing a reference biometric selfie when we first enroll the use. This means with typical use, Identity Assurance as well as Authentication Assurance, go hand in hand. When the user needs to elevate privileges to conduct a high-risk transaction, when signals of account takeover are detected, or when a user needs to add or recover a new device, Verified steps the user up to an auditable biometric MFA available on any device, creating a chain of trust to the user’s biometrically authenticated identity.
authID’s Verified augments “something the user has” with “something the user is,” their unique face. The human element is the problem in 82% of breaches, so the human element — biometrics — is the ideal solution. We’ve designed Verified with a frictionless user experience available on any machine or through any messaging technology that’s easier to use and more secure than legacy one-time pin codes.
authID’s Verified authenticates the human factor.
#ciso #biometricauthentication #socialengineering #mfa #passkeys
[1] https://www.verizon.com/business/resources/reports/dbir/
[2] https://www.twilio.com/blog/august-2022-social-engineering-attack
[3] https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html
[4] https://mailchimp.com/august-2022-security-incident/
[5] https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/
By Jeff Scheidel, VP of Sales One rite of passage for baby boomers was faking…
How 33 Million Identities Could Have Been Spared The Risk By Jeff Scheidel, VP of…
How The Threat Of AI Is Now, Not Later, And The Way To Fight It…
By Jeff Scheidel, VP of Sales. Most often when people speak of cyber-security and user…
By Jeff Scheidel, VP of Sales. This past month, FindBiometrics and Acuity Market Intelligence published…
By Jeff Scheidel, VP of Sales. Sure, I’m old, but everybody I hang with complains…