Classic authentication methods have been widely used for decades, relying on credentials to secure our digital identities. A username, voicing who we say we are, coupled with a password demonstrating the identity. A simple solution, for much simpler times. Presently, as technology advances, these traditional methods are increasingly falling short in ensuring sufficiently robust security.
We’re putting together a series of articles exploring the complexity of user authentication, showcasing the vulnerabilities behind classic authentication and what next level practices we should apply to ensure a safer digital space. This current piece explores the common shortcomings of classic authentication – more specifically text passwords, shedding light on the weaknesses that expose innocent users to various risks.
The fundamental issue
We see it as a modern concept, but password usage has been around for much longer than that, predating the digital era. There are records showing how ancient Romans used wooden tablets with “watchwords” written on them to easily distinguish between friends and foes. So, it should come as no surprise that the biggest password liability is as old as the notion itself, closely related to our human nature. For it’s in our nature as humans to constantly seek convenience and comfort. In terms of credential security, this translates to choosing weak passwords – common words, our pet’s name – and never changing them. This kind of negligence makes it easier for malicious actors to exploit our predictable patterns, leading to security breaches.
I’m using complex passwords. Am I safe?
You may consider strong passwords the be-all and end-all of online security, however, it’s just the start. Because it doesn’t matter how much time it takes for an attacker to guess your password if you happily share it with them before they even start. Yes, it sounds unlikely, but these kinds of social engineering attacks are becoming increasingly worrying. According to The Anti-Phishing Working Group, APWG, phishing is the single most common form of cyber-attack, the root-cause for 36% of data-breaches. Even vigilant users can sometimes fall victim to well-crafted phishing schemes, emphasizing the need for more secure authentication methods that can withstand such social engineering tactics. And if you’re considering yourself safe from phishing, there’s other threats out there, such as keylogger attacks and general malware.
After gaining access to your credentials, cybercriminals perform an attack called credential stuffing where they specifically exploit users who reuse passwords across multiple platforms. Once a set of credentials is compromised, attackers systematically attempt to use the same combination on other websites. While there are services which aid users in keeping themselves protected (Have I Been Pwned is one which comes to mind), they only catch publicly available data breaches – often times, this is too late to take action.
Moreover, no matter how strong our passwords are, how often we update them and how careful we are not to disclose them, they are ultimately managed by 3rd party platforms. Which, let’s be honest, have dropped the ball many times. These data breaches come as a result of many poor practices on their part – unencrypted credential storage, overly verbose APIs, unsanitized logs, outdated communication protocols… the list goes on. We may think it safe once we hit that “new password submit” button, but it’s only a matter of time before our account comes under threat.
How does Artificial Intelligence impact classic authentication?
We hear about AI influencing most aspects of our digital lives and classic authentication could not miss out on this. And it is indeed both a positive and a negative factor, on the one hand enhancing the capabilities of attackers and on the other, providing tools for defenders. The catch is that attackers are typically more technically inclined than the average user, putting their privacy in an even more volatile state.
In practical terms, by leveraging machine learning algorithms based on public datasets, cybercriminals can efficiently perform various activities such as: creating synthetic data, iterating through credential combinations, testing out credential stuffing, and rolling out phishing schemes. According to a study by IBM, who performed A/B phishing tests, generative AI phishing click rate was 11%, while the human phishing click rate was 14%. The AI-generated email was also reported as suspicious at a slightly higher rate compared to the human-generated message, 59% versus 52%, respectively.
“Humans may have narrowly won this match, but AI is constantly improving. As technology advances, we can only expect AI to become more sophisticated and potentially even outperform humans one day.” Stephanie Carruthers, IBM’s chief people hacker
It’s a matter of education
While classic authentication on its own is hardly enough and inherently insecure, with careful attention it can provide a semi-adequate level of protection. Unfortunately, many users continue to underestimate the importance of strong passwords, regular updates, and the risks associated with phishing. Enhancing user awareness and education is critical for improving overall security posture.
As cyber threats continue to evolve, classic authentication struggles to keep pace with the changing landscape. The rise of sophisticated attacks and the increasing value of personal information imposes a shift toward more adaptive and advanced authentication solutions to effectively counter emerging threats.
Stay tuned for our upcoming articles, showcasing various ways to improve our online presence and the protection of our digital assets through next level authentication methods.
About Adrian Marinica
Adrian Marinică is the Chief Technology Officer (CTO) of Maxcode. In this role, he is accountable for the company’s strategy, development, and delivery of complex software to fintech partners. Adrian is a proven leader with years of experience in managing diverse product strategies, and in working closely with partners to drive software innovation.
9 November 2023
Navigating the Risks and Impact of Web Security in the Fintech Sector
A Comprehensive Developer Guide to Web Security Challenges
Navigating the Complex World of Web Vulnerabilities