Imagining a professional life without passwords

Passwords are a source of many security risks, with recent LastPass research revealing IT teams are spending five hours a week on average dealing with password-related issues. A passwordless login experience, on the other hand, provides employees with a user-friendly and secure way of accessing their accounts and devices – no matter where they are. This eliminates many password-related risks, such as password reuse or failing to change default credentials, which means improved security and … More

The post Imagining a professional life without passwords appeared first on Help Net Security.

Is passwordless authentication actually the future?

While passwords may not be going away completely, 92 percent of respondents believe passwordless authentication is the future of their organization, according to a LastPass survey.

passwordless authentication

Passwordless authentication reduces password related risks by enabling users to login to devices and applications without the need to type in a password.

Technologies such as biometric authentication, single-sign-on (SSO) and federated identity streamline the user experience for employees within an organization, while still maintaining a high level of security and complete control for IT and security teams.

Organizations still have a password problem

Problems with passwords are still an ongoing struggle for organizations. The amount of time that IT teams spend managing users’ password and login information has increased year over year.

In fact, those surveyed suggest that weekly time spent managing users’ passwords has increased 25 percent since 2019. Given this, 85 percent of IT and security professionals agree that their organization should look to reduce the number of passwords that individuals use on a daily basis.

Additionally, 95 percent respondents surveyed say there are risks to using passwords which could contribute to threats in their organization, notably human behaviors like password reuse or password weakness.

Security priorities are at odds with user experience

When it comes to managing an organization, security is a core challenge for IT teams. However, it is the lack of convenience and ease of use that employees care about. Security is the main source of frustration for the IT department, particularly when issues are often derived from user behavior when managing passwords.

The top three frustrations for IT teams include users using the same password across applications (54 percent), users forgetting passwords (49 percent) and time spent on password management (45 percent).

For employees, the issues lie in convenience. Their top three frustrations are changing passwords regularly (56 percent), remembering multiple passwords (54 percent) and typing long, complex passwords (49 percent).

Primary benefits of passwordless authentication

Better security (69 percent) and eliminating password related risk (58 percent) are believed by respondents to be the top benefits of deploying a passwordless authentication model for their organization’s IT infrastructure. Time (54 percent) and cost (48 percent) savings are also noted benefits of going passwordless.

Meanwhile, for employees a passwordless authentication model would help to address efficiency concerns. 53 percent of respondents report that passwordless authentication offers the potential to provide convenient access from anywhere, which is key given the shift towards remote work that is likely here to stay.

Top challenges of passwordless deployment

While going passwordless can provide a more secure authentication method, there are challenges in the deployment of a passwordless model.

Respondents report the initial financial investment required to migrate to such solutions (43 percent), the regulations around the storage of the data required (41 percent) and the initial time required to migrate to new types of methods (40 percent) as the biggest challenges for their organization to overcome.

There are also some concerns around resistance to change. Three quarters of IT and security professionals (72 percent) think that end users in their organization would prefer to continue using passwords, as it is what they are used to.

passwordless authentication

Passwords are not going away completely

When it comes to identity and access management, 85 percent do not think passwords are going away completely. Yet, 92 percent of respondents believe that delivering a passwordless experience for end-users is the future for their organization.

There is a clear need to find a solution that combines passwordless authentication and password management in today’s organizations.

“As many organizations transition to a long-term remote work culture, giving your employees the tools and resources to be secure online in their personal lives as well as in the home office is more important now than ever,” said Gerald Beuchelt, CISO at LogMeIn.

“This report shows the continued challenge that organizations face with password security and the need for a passwordless authentication solution to enable both IT teams and employees to operate more efficiently and securely in this changing environment.”

How do industry verticals shape IAM priorities?

IAM priorities differ by industry vertical, and a one-size-fits-all approach to IAM doesn’t work when every industry and business within that industry is unique, according to LastPass and Vanson Bourne.

IAM priorities

Each industry vertical has unique business needs, and as a result has different areas of focus when it comes to their IAM program.

Finance focused on reducing risk, while integrating IAM infrastructure

Financial service organizations deal with higher stakes than most verticals, which inevitably impacts how they manage employee access and authentication.

35 percent of IT professionals in this industry say hackers have gained access to their organizations in the past, which is not surprising given financial institutions experience the highest cybercrime costs out of all verticals at an average of $18.3 million per year.

According to the report, 70 percent of IT professionals in the finance industry say that reducing risk is a top priority and 65 percent state that integrating security infrastructure is their biggest area for improvement.

IT focused on IAM security benefits and prioritizes MFA

As information technology businesses are close to IAM software and managing customer’s data, it’s clear their relationship with technology impacts their IAM strategy. 77 percent in this industry say securing data is their top priority, while improving identity and access management is less of a focus with 61 percent noting that as a priority.

28 percent of IT and security professionals in this industry said they are planning to invest in multi-factor authentication (MFA) solutions which will help address their security challenges because MFA helps ensure only the right employees are able to access sensitive data.

IAM priorities

Media needs a secure, automated way to manage user access

Mass communication companies work with an array of external consultants to execute their programs, which leads to a wide array of users, both internally and externally, accessing business resources which complicates IAM.

34 percent of IT professionals in this industry say managing user access is important to their organization, compared to the overall average of all industries (9 percent). 44 percent say end users are demanding an easier to use solution and 49 percent say automating IAM processes is an area for improvement.

“Finance is focused on reducing risk and integrations, IT is prioritizing the security components of IAM, whereas media is focused on improving employee productivity.,” said John Bennett, General Manager, Identity and Access Management Business Unit at LogMeIn.

“It’s clear that flexibility, breadth of functionality and ease of use are critical so businesses can customize their IAM strategy in alignment with their business objectives. Organizations need to evaluate what their business needs are and build their IAM strategy based on those requirements.”

Beware of phishing emails urging for a LogMeIn security update

LogMeIn users are being targeted with fake security update requests, which lead to a spoofed phishing page.

“Should recipients fall victim to this attack, their login credentials to their LogMeIn account would be compromised. Additionally, since LogMeIn has SSO with Lastpass as LogMeIn is the parent company, it is possible the attacker may be attempting to obtain access to this user’s password manager,” Abnormal Security noted.

The fake LogMeIn security update request

The phishing email has been made to look like it’s coming from LogMeIn. Not only does the company logo feature prominently in the email body, but the sender’s identity has been spoofed and the phishing link looks, at first glance, like it might be legitimate:

LogMeIn security update

“The link attack vector was hidden using an anchor text impersonation to make it appear to actually be directing to the LogMeIn domain,” Abnormal Security explained.

“Other collaboration platforms have been under scrutiny for their security as many have become dependent on them to continue their work given the current pandemic. Because of this, frequent updates have become common as many platforms are attempting to remedy the situation. A recipient may be more inclined to update because they have a strong desire to secure their communications.”

Advice for users

This LogMeIn-themed phishing campaign is a small one, but users should know that the company has seen an “incredible uptick” in collaboration software impersonations in the past month.

Be careful when perusing unsolicited email, even if it looks like it’s coming from a legitimate source. If you have to enter login credentials into a web page, make sure you landed on that page by entering the correct URL yourself or by opening a bookmark – and not by following a link in an email.

In this particular case, you can be sure that if LogMeIn asks you to update something, the request/reminder will be shown once you access your account, so you’re not losing anything by ignoring the email and the link in it.

Password psychology: People aren’t protecting themselves even though they know better

People aren’t protecting themselves from cybersecurity risks even though they know they should, a study on password psychology by LogMeIn reveals.

password psychology

Password psychology

Year after year there is heightened global awareness of hacking and data breaches, yet consumer password behaviors remain largely unchanged. Data from the survey shows that 91 percent of people know that using the same password on multiple accounts is a security risk, yet 66 percent continue to use the same password anyway.

With people spending more time online, the evolution of cybersecurity threats and the unchanged behavior in creating and managing passwords creates a new level of concern around online security.

The global survey polled 3,250 individuals across the United States, Australia, Singapore, Germany, Brazil, and the United Kingdom and provides evidence that increased knowledge of security best practices doesn’t necessarily translate into better password management.

Global cyber threats continue to skyrocket but password behaviors unchanged

Password behaviors remain largely unchanged from the same study conducted two years ago — translating to some risky behaviors. 53 percent report not changing passwords in the past 12 months despite a breach in the news.

And while 91 percent know that using the same password for multiple accounts is a security risk, 66 percent mostly or always use the same password. This is up 8 percent from our findings in 2018.

Security-conscious thinking doesn’t translate to action

The data showed several contradictions, with respondents saying one thing and in turn, doing another. 77 percent say they feel informed on password best practices, yet 54 percent still try to memorize passwords and 27 percent write them down somewhere.

Similarly, 80 percent are concerned with having their passwords compromised, and yet 48 percent never change their password if not required.

Fear of forgetfulness, number one reason for password reuse

Most respondents (66 percent) use the same password for multiple accounts, which surprisingly has gone up 8 percent from our 2018 findings. Why? The fear of forgetting login information continues to be the number one reason for password reuse (60 percent), followed by wanting to know and be in control of all of their passwords (52 percent).

password psychology

Awareness and usage of MFA increasing

The good news is there is broad awareness and usage of multifactor authentication (MFA). Fortunately, 54 percent say they use MFA for their personal accounts and 37 percent are using it at work. Only 19 percent of survey respondents said they did not know what MFA was.

Respondents are also very comfortable with biometric authentication – using your fingerprint or face to login to devices or accounts. 65% said they trust fingerprint or facial recognition more than traditional text passwords.

“During a time where much of the world is working from home due to the disruption caused by the COVID-19 pandemic, and people are spending more time online, the cyber threats facing consumers are at an all-time high. Individuals seem to be numb to the threats that weak passwords pose and continue to exhibit behaviors that put their information at risk,” said John Bennett, SVP & GM of Identity and Access Management at LogMeIn.

“Taking just a few simple steps to improve how you manage passwords can lead to increased safety for your online accounts, whether personal or professional. Make World Password Day 2020 the tipping point for a change in your password behavior.”

Some commercial password managers vulnerable to attack by fake apps

Security experts recommend using a complex, random and unique password for every online account, but remembering them all would be a challenging task. That’s where password managers come in handy.

password managers vulnerable

Encrypted vaults are accessed by a single master password or PIN, and they store and autofill credentials for the user. However, researchers at the University of York have shown that some commercial password managers (depending on the version) may not be a watertight way to ensure cybersecurity.

After creating a malicious app to impersonate a legitimate Google app, they were able to fool two out of five of the password managers they tested into giving away a password.

What is the weakness?

The research team found that some of the password managers used weak criteria for identifying an app and which username and password to suggest for autofill. This weakness allowed the researchers to impersonate a legitimate app simply by creating a rogue app with an identical name.

Senior author of the study, Dr Siamak Shahandashti from the Department of Computer Science at the University of York, said: “Vulnerabilities in password managers provide opportunities for hackers to extract credentials, compromising commercial information or violating employee information. Because they are gatekeepers to a lot of sensitive information, rigorous security analysis of password managers is crucial.

“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success.”

“In light of the vulnerabilities in some commercial password managers our study has exposed, we suggest they need to apply stricter matching criteria that is not merely based on an app’s purported package name.”

“I am not aware of the different ways a password manager could properly identify an app so not to fall victim to this kind of attack. But it does remind me of concerns we’ve had a long time about alternative keyboard apps getting access to anything you type on your phone or tablet,” Per Thorsheim, founder of PasswordsCon, told Help Net Security.

“The risk presented with autofill on compromised websites pertains only to the site’s credentials, not the user’s entire vault. It is always in the user’s best interest to enable MFA for all online accounts, including LastPass, since it can protect them further,” a LastPass spokesperson told us via email.

“While continued efforts from the web and Android communities will also be required, we have already implemented changes to our LastPass Android app to mitigate and minimize the risk of the potential attack detailed in this report. Our app requires explicit user approval before filling any unknown apps, and we’ve increased the integrity of our app associations database in order to minimize the risk of any “fake apps” being filled/accepted.”

Other vulnerabilities

The researchers also discovered some password managers did not have a limit on the number of times a master PIN or password could be entered. This means that if hackers had access to an individual’s device they could launch a “brute force” attack, guessing a four digit PIN in around 2.5 hours.

The researchers also drew up a list of vulnerabilities identified in a previous study and tested whether they had been resolved. They found that while the most serious of these issues had been fixed, many had not been addressed.

Some issues have been fixed long ago

The researchers disclosed these vulnerabilities to the companies developing those password managers.

Lead author of the study, Michael Carr, said: “New vulnerabilities were found through extensive testing and responsibly disclosed to the vendors. Some were fixed immediately while others were deemed low priority. More research is needed to develop rigorous security models for password managers, but we would still advise individuals and companies to use them as they remain a more secure and useable option. While it’s not impossible, hackers would have to launch a fairly sophisticated attack to access the information they store.”

Commenting on this research for Help Net Security, Jeffrey Goldberg, Chief Defender Against the Dark Arts at 1Password, said: “Academic research of this nature can be misread by the public. The versions of 1Password that were examined in that study were from June and July 2017. As is the convention for such research, the researchers talked to us before making their findings public and gave us the opportunity to fix things that needed to be fixed. The research, and publication of it now, does have real value both to developers password managers and for future examination of password managers, but given its historical nature, it is not a very useful guide to the general public in accessing the current state of password manager security.”