Customer Passwords are a Target for Cybercriminals: How to Address the Threat

May 05, 2022
CybercrimeIT LeadershipSecurity

Savvy customers care about cybersecurity and choose to do business with companies that provide an exceptional digital experience.

Credit: Transmit Security

Companies face various cyber risks, ranging from ransomware to data theft. Cyber threat actors gain access to an organization’s systems in various ways. However, cybercriminals commonly take the path of least resistance, and organizations’ reliance on password-based authentication provides numerous avenues of attack. Passwords are known to be a weak form of authentication, and the widespread use of weak and reused passwords puts companies and their customers at risk.

CISOs have been working hard to address the threat vectors that target their workforce for years. The workforce is the most common vector for ransomware, data theft, and many other breaches. However, with the pandemic-fueled rise of digital, customers are an increasing threat vector. CISOs are increasingly expected to “secure what you sell,” presenting a new domain of security. To secure this customer domain, CISOs must address the same issue they’ve been dealing with on the workforce side: passwords.

Password-based authentication hurts usability and security

Passwords are the most widely-used form of customer account authentication. Customers use passwords to log into mobile apps, websites, and other customer channels. However, while passwords are ubiquitous, they are a weak and high-friction form of authentication. This friction harms both the security and the customer experience of an organization’s digital channels.

The security impacts of password-related friction arise because customers will attempt to avoid painful, time-consuming processes, such as generating and storing random, unique passwords for all their online accounts. As a result, passwords are commonly weak and reused across accounts, which makes account takeover (ATO) attacks possible. Think about your own use of passwords for the websites and apps you use. If you don’t use a password manager, you likely reuse user IDs and passwords across many disparate sites.

The poor customer experience of passwords also hurts an organization’s business. Password-related friction can reduce guest user conversions, inspire shopping cart abandonment, cause drop offs when switching between brands or channels, and require greater customer effort (which is a leading indicator of reduced brand loyalty). Passwords are bad for security, and bad for customer experience.

Bolted-on security doesn’t work

To shore up the weak security of passwords, companies commonly bolt on additional protections that do little to improve security but cause further harm to the user experience.

Common examples include:

  • SMS one-time passwords (OTPs): OTPs sent via SMS or other means are a common form of multi-factor authentication (MFA). However, these codes are vulnerable to interception or phishing attacks. Moreover, they often fail to send, and they always take extra time and effort to use.
  • Out-of-wallet security questions: Online accounts may ask out-of-wallet questions to prove a user’s identity. However, the answers to these questions are often accessible to attackers via public records, phishing attacks, data breaches, and social media. And not only do they add time and effort, many customers forget the answers they chose, resulting in additional steps needed for account recovery.
  • CAPTCHAs: CAPTCHAs are designed to protect against automated attacks. However, they can be defeated by attackers and make it more difficult for legitimate users to access their accounts.

At best, these password bolt-ons frustrate users and create additional friction; at worst, they are accessibility problems for those with cognitive or physiological disabilities. In both cases, they are easily circumvented by a determined cybercriminal performing an account takeover attack.

Passwordless authentication is the solution

Password-based authentication is not secure and will never be secure. Even if customers used unique, random passwords for each online account, these passwords would still be vulnerable to phishing attacks, data breaches, and other threats.

Creating a secure, streamlined user experience requires an alternative approach. The best solution is going passwordless with a FIDO-based approach. FIDO, or Fast Identity Online, is an open set of standard protocols promoted by the FIDO Alliance[1] for strong authentication using everyday consumer devices like mobile phones. While FIDO does not solve the problem overnight – it takes users time to switch to passwordless authentication – when done right, it begins to eliminate your biggest business risk: customer passwords.

FIDO-based authentication, as part of a well-designed customer identity and access management (CIAM) service, provides protection against the most common tactics used in ATO attacks, including:

  • Compromised credentials: FIDO-based authentication uses biometrics or digital signatures stored on-device for authentication. Users don’t need to memorize and enter secret data, so they can’t be tricked into revealing it to an attacker.
  • Phishing pages: Phishing attacks commonly use fake, lookalike pages to collect users’ credentials. FIDO-based authentication utilizes two-factor authentication: it validates both the customer and the online service they are using before authenticating, protecting against these attacks.
  • Credential stuffing: Credential stuffing attacks test for weak and reused passwords via automated attacks. FIDO-based authentication uses public-key cryptography for authentication, which requires access to a random, cryptographic private key to log in.

The best implementations of FIDO-based authentication completely eliminate passwords for users, from the point of registration through the entire customer journey. By eliminating passwords entirely, the right FIDO-based solution both reduces customer friction and eliminates a very common threat vector: stolen credentials.

Your customers care about cybersecurity

In a January 2022 research report entitled, “Build the Business Case for Cybersecurity and Privacy”, Forrester states that people are “drawn to brands with a strong security and privacy reputation.” They go on to say: “As a result of improved security and better self-service, clients mentioned that implementing services for customer identity and access management (CIAM) resulted in greater efficiency in customer acquisition, lower customer and shopping cart abandonment, and better conversion rates (customers signing up and buying on the site). Over time, these improved customer experiences will clearly link to increased customer loyalty, satisfaction, and revenue.”

Your customers are likely savvier than ever about how their accounts are protected. They care about cybersecurity, but they also choose to do business with companies that provide exceptional digital user experiences. By implementing the right passwordless CIAM service for your digital channels, you can both address the threat vector of stolen credentials and significantly reduce the effort your customers go through to login and transact. Achieve better security and a better experience.

To learn more about passwordless authentication, visit Transmit Security.

[1] Source