No more passwords, please!

The password is probably the best known concept in computing. Probably you will only find people who don't know the word in the most remote areas around the globe. Even the Romans were known to use passwords to guard entry to secure their army camps. After a few thousand years you would have thought that passwords might have been replaced by something more suited to the times. And we all know that this is not the case. Most of us still use passwords every time we use a computer. As much as we dislike them, passwords are everywhere. So far so bad. But why should we care? Many of today's most successful and common attacks on businesses succeed because passwords on their own are such a catastrophic way of protecting personal accounts.

Phishing is still a popular form of attack. Sophos, for example, published the results of its global survey The Impossible Puzzle of Cybersecurity a few weeks ago. They report that 53 percent of all IT managers who admitted to being victims of a cyberattack were deceived by a phishing email. Phishing is here to stay. It costs little or nothing and is disastrously effective, especially if targets are planned with just a little more sophistication than sending out mass emails. Whaling, for example is a type of phishing which is targeted specifically at managers in Business Email Compromise (BEC) attacks. A few hundred thousand euros can be quickly lost this way. Even today, after every single media outlet has reported on it.

The key to a successful attack is piling on the pressure and winning trust. Attackers like to move laterally – just like hackers hijacking a fairly unimportant but unprotected system on the victim's network, working their way through the network and collecting credentials and permissions until they have taken the most valuable resources. Lateral phishing uses hijacked internal employee accounts to make emails appear particularly trustworthy. After all, the message originates from a company address which the target can reply to, although they will receive a response from the attacker instead. This means that defensive measures such as filtering external emails are also ineffective as the attack comes from within. A recent study by firewall manufacturer Barracuda in collaboration with researchers from UC Berkeley and UC San Diego found that one in seven companies surveyed had experienced lateral phishing attacks in the last seven months.

And this leads us back to the password and why passwords alone are no longer sufficient today. Company mail accounts are only easy to compromise if they were only protected by a password and not by a second factor. Once the attacker has captured the password – via phishing, social engineering or any other means – the account is compromised and can be used for further attacks. If a second factor is required to log in, stolen credentials alone are worthless.

Many companies today already use two-factor authentication , mostly in combination with a VPN. But there are still many companies that do without it – either it's too expensive, too complicated or users object to physical security tokens. Today, sophisticated 2FA solutions are possible with techniques such as Fido2 . They cost little, could also be used privately and would ensure that the password would be superfluous or at least replaced by a simple code for all applications. It's about time: 53% of security breaches caused by phishing is just too much.