Identity-related attacks & identity protection

At first glance, identity protection seems like a topic that has already been thoroughly covered. Nevertheless, recent statistics and security reports consistently show that identity-related attacks remain among the greatest risks facing businesses.

In Europe alone, nearly 60% of all identified security incidents begin with compromised cloud accounts. If successful, attackers use methods such as lateral movement to obtain login credentials for privileged accounts with high permissions in order to gain access to the crown jewels of the infrastructure.

Protection against identity theft within the framework of Identity & Access Management is so easy to implement. Nevertheless, only about 65% of all German companies use multi-factor authentication (MFA), and only about 20% have achieved an optimized maturity level for digital identity management. However, nearly 70% of large enterprises rate their maturity level as advanced or higher. Is this a misjudgment, given that 60% of all attacks are based on compromised accounts?

In the cloud era, identities form the new security perimeter, even though this boundary is admittedly no longer new. Many companies still think too much in terms of demilitarized zones (DMZs) surrounded by firewall systems. However, since the onset of the pandemic, the number of employees working from home has likely increased significantly. These employees often use direct access to cloud-based services without going through their own on-premises security infrastructure via a VPN connection. This makes it all the more important to pay closer attention to digital identities during authentication and authorization.

These trends go far beyond the scope of MFA and the use of passwords as the sole line of defense. Passwordless logins are the way of the future; they make it much easier for employees to log in and reduce the number of password reset requests received by the user help desk.

Phishing protection: Passkeys use public-key cryptography. The private key is stored on the user’s device and is not disclosed, unlike the public key, which is shared with the service or server. Because it is stored securely, the private key is well protected against phishing attacks.

No password reuse: Passkeys are regenerated for each service. This eliminates the risk of reusing the same passwords for different services or websites. Reuse is a common problem when relying solely on passwords, as it can lead to the compromise of multiple accounts using the same stolen credentials.

No central password storage: Service providers do not store passwords, but only public keys, which are useless without the corresponding private keys. This means that even in the event of a data breach at a service provider, attackers cannot obtain user data.

Local authentication: Authentication takes place locally on the user’s device, significantly reducing the risk of login credentials being intercepted while being transmitted over public networks such as the internet.

Multi-factor authentication (MFA): Passkeys can serve as a form of multi-factor authentication by combining something the user has (the device on which the private key is stored) with something the user is (biometrics) or something the user knows (a PIN). Therefore, the use of passkeys alone is usually not possible.

Physical security keys: FIDO (Fast IDentity Online) also uses public-key cryptography and is based on physical security keys, such as the YubiKey, which also rely on biometric methods. Attacks on FIDO are extremely difficult to carry out, as no passwords are used and the private keys required for encrypted authentication remain on employees’ devices and are additionally protected by biometric methods. However, outsourcing biometric data to third-party servers increases the attack surface.

Physical characteristics: Biometric methods are now standard and offer the enormous advantage of allowing users to use physical characteristics for authentication. However, fingerprint, facial, or iris scans are only as secure as the employee’s control over these physical characteristics—after all, we’re all familiar with the method from various crime films where perpetrators unlock victims’ cell phones. Biometrics, however, has a major drawback: biometric data must be stored permanently, which raises data protection concerns, and cannot be changed. Once this data is compromised, the gates are wide open.

Authenticator Apps: OTPs (one-time passwords) are increasingly being used via authenticator apps on mobile devices and offer a quick and easy way to add an extra layer of authentication. These apps generate time-sensitive one-time passwords that expire after use. The passwords are generated once the service’s OTP method has been successfully integrated into the authenticator app.

Adaptive Authentication: This is not a standalone method, but rather an adaptive extension that incorporates an anomaly-based approach. The risk of a login is assessed based on various factors and contextual information. Through real-time analysis, elements such as location, network, or time are identified to either allow a login and verify the user through additional authentication methods, or to deny authentication.

OAuth 2.0: As an open protocol, OAuth 2.0 uses tokens for authentication on the internet, making it an ideal choice for public cloud services. Login credentials do not need to be re-entered each time, as the token has a lifespan before it expires. However, unlike Kerberos, the token is not tied to the user or the computer but to the service. It enables an app on the user’s device to access a cloud service and the data published by it.

SSO: Unlike OAuth 2.0, Single Sign-On uses a user token that is issued upon entering the username and password. Similar to OAuth 2.0, this token also has a lifespan and does not require re-authentication every time. The duration of the token’s validity can be configured. Only after the validity period expires does a complete new authentication process become necessary for A

When implementing all your security measures, always keep in mind that the human factor is extremely important. Ultimately, many successful identity-based attacks stem from phishing attempts that employees failed to recognize as such. The most effective protection in this regard remains the regular delivery of security awareness training for employees, accompanied by periodic simulations using phishing emails.