Nevis Security: Password-free authentication

Cybercriminals hijack millions of users ‘ accounts every year with automated testing of stolen login data. Password-free authentication puts a stop to this. […]

During the corona pandemic, the number of cyber attacks has continued to increase. This is the conclusion of the report on the state of IT security in Germany 2020 published by the Federal Ministry of the Interior together with the Federal Office for Information Security (BSI). In addition to malware used for ransomware attacks on private individuals, companies, authorities and other institutions, credential stuffing plays an increasingly important role in the strategies of criminals. Nevis Security provides an overview and identifies effective countermeasures.

Credential stuffing, i.e. the automated “testing” of username-password combinations for various online services, has experienced a strong upswing since 2019: The cause is large data breaches at Marriott, Equifax or LinkedIn, for example, through which a large number of login data came into the hands of criminals. What is more serious, however, is that around 61 percent of users not only assign their passwords once, but reuse them. A once stolen password can thus act as a” master key ” to various services.

The gold-digging mood among cybercriminals can also be measured by looking at the number of successful cyber attacks in 2020. More than 80 percent were carried out using stolen login data or brute force; the preferred target was web applications with more than 90 percent, according to the Verizon Data Breach Investigations Report 2021. The perpetrators do not have to have any deeper technical or programming knowledge: Leaked password lists are partly freely accessible or can be purchased on the Darknet. Access to credential stuffing tools is just as easy.

Whether and where a login with the stolen or purchased credentials is possible, the criminals test using a rotating proxy that drives hundreds of thousands of login information across multiple services. Even for a large-scale attack, the time required is only a few minutes to crack several thousand to tens of thousands of accounts.

Apply two-factor authentication correctly

As an effective countermeasure for private users, the BSI report recommends – in addition to general care in handling their own data – two-factor authentication whenever an online service offers it. If this security measure is active, it is no longer sufficient to know only the password; in addition, the user must prove his identity beyond doubt by means of a feature that only he alone has. For example, the SMS-TAN method, hardware keys or various authenticator apps can be used.

However, all these methods have in common that they are either insecure – so SMS can be easily intercepted by criminals with appropriate software tools; strain the patience of the user when typing columns of numbers or simply are not at hand when they are needed, for example because the hardware key in the USB slot has been forgotten.

A remedy is provided by a method that completely replaces passwords with biometric authentication and improves both user-friendliness and security: so-called password-free authentication. It uses the biometric sensors that are installed in modern smartphones and allow the user to be uniquely identified by their facial features or fingerprints without sensitive data ever leaving the device. Since the smartphone is now included in almost every situation, the user can access the secure login via authentication app almost anywhere.

“The password-free authentication should thus make a decisive contribution to getting security problems such as credential stuffing under control,” says Stephan Schweizer, CEO of Nevis. “At the same time, the login via FaceID or fingerprint is extremely convenient for users. Companies that use the process benefit from the improved user experience and the resulting stronger customer loyalty.“

* Bernhard Lauer is a freelance editor of dotnetpro and is responsible for the section Basic Instinct. With Visual Basic, he has been programming privately since version 1.0.

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: