The Shortcomings of Shared Secrets: Why Password-less must be the Path Forward
By George Avetisov, Cofounder and CEO, HYPR
Since the dawn of the Internet there has been a constant struggle between those trying to secure their
personal information and those trying to steal it. Although there have been many iterations of security
models, they’ve all had one thing in common – a consistent reliance on “shared secrets.” Shared secrets
are any knowledge-based credentials such as passwords, credit card numbers, bank PINs and your
mother’s maiden name that are used as part of a login process. The unfortunate reality of these
credentials is that they are easy to steal, compromise and reuse. In fact, more than 80% of all of today’s
data breaches are the result of weak or stolen passwords and shared secrets. The prevalence of
knowledge-based authentication models and the continued use of shared secrets has seen phishing
attacks and credential reuse reach all-time highs, and with it we’ve seen Consumer Account Takeover
(ATO) fraud double year over year. Right now, the bad guys are winning the battle in the war to protect
our information.
Unfortunately, the story gets bleaker. As enterprises move more and more to the public cloud, the
employee attack surface and the associated risk of a data breaches grows right alongside it. Today,
hackers are performing, and succeeding at, credential stuffing attacks on enterprise resources which
were never before available to the outside world. This is because through the massive data breaches
that consistently flood our headlines, hackers are equipped with millions of compromised user shared
secrets.
Companies recognize the situation they’re in and are trying to strengthen their security posture through
newer credential authentication models such as two-factor authentication (2FA), short message service
(SMS) and the newest model, multi-factor authentication (MFA). The problem with all of them is that they
simply are adding another layer on top of the already flawed shared secret model. Whereas these models
may be more difficult to attack, the attack vector is the same as for traditional shared secret models and
hackers are so adept at bypassing these security measures that anything built on its infrastructure is
inherently susceptible.
Therefore, it should come as no surprise that among these newer models, there is still much to be desired
in terms of security. One of the most popular method of execution for these models, favorited by banks
and enterprises, is through one-time passwords (OTP). Upon signing into an account, the user is sent an
OTP directly to their mobile device via an SMS text-message. The user must then enter the OTP online
in order to complete the authentication process and gain access to their account. As complex and difficult
to hack as that sounds, the truth is that SMS messages can be intercepted in the carrier’s network through
a technique called “SIM-Swap” fairly easily. This means that the OTP message is actually delivered to
the wrong mobile phone – usually the one in the hands of fraudsters. This is so common that many of
today’s most popular mobile malware variants come standardly equipped with SMS OTP stealing
functions.
This model of authentication has proven to be so ineffective that the National Institute of Standards and
Technology (NIST) deprecated the use of SMS as a strong second factor in authentication model more