Earlier this month, Verizon released its Data Breach Investigations Report (DBIR). In this 16th year of the report, Verizon highlighted their analysis of more than 953,894 incidents, of which 254,968 are a breach. The report shows three primary ways in which attackers access an organization:
- Stolen credentials
- Exploitation of vulnerabilities.
A continuation of the findings in last year’s report, the 2023 report states that hackers continue to exploit the human element (including errors, misuse, and social engineering). Combining this element and the entry points above, hackers gain access to organizations to launch their attacks. In fact, 74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering. A slight decrease over last year! But we have a long way to go.
The use of stolen credentials remains the top way for criminals to gain access to organizations. This supports the basic premise that hackers just log in above all else. Stolen credentials continue to be the top access method for bad actors as they account for 44.7% of breaches. Additionally, stolen credentials play a bigger role in web application attacks accounting for 86% of breaches here. To put that in perspective, web applications make up 25% of all breaches,
The takeaway here is the fact that humans and their credentials are still the weak link in the security chain. Why? Because a credential is something that can be shared or stolen. It feels like a difficult problem to solve, but in reality, the market is shifting to meet the obvious demand here. If we can eliminate credentials – user name and password – then the problem can be solved. Passwordless is the answer, right? Well, not so fast.
While these reports can be all doom and gloom, fear not, it’s not all bad, because there are ways to fix the problem.
As I discussed in last year’s blog about the 2022 DBIR report, Verizon recommends the usual approach to solve some of these problems like deploying two-factor authentication and/or implementing password managers for users, all in an effort to avoid the impact credentials introduce. This approach can reduce the likelihood of attackers being able to exploit poor passwords to gain access to applications, systems, and data. These capabilities have been available and in production for years BUT we are still seeing similar numbers year over year from reports like this year’s DBIR.
At 1Kosmos, we believe we need to focus on credentials. Why? As I stated earlier, bad actors log in. If we can remove their capacity to login we stop a staggering number of breaches. So if we can improve upon authenticating users without the use of credentials then organizations will be better for it.
Let’s examine how a 1Kosmos customer can log in. Our customers systematically replace credentials with real biometrics that are matched to a verified digital identity and it works across all operating systems including Microsoft, Mac, Unix, and Linux. The authentication is IAL2 and AAL2 certified and ensures the user is who they claim to be. Because we do an ID+Selfie at enrollment and compare the selfie at each and every access request we ensure that the user requesting access is that user.
So, how do we, 1Kosmos, replace credentials? With verified identity. By combining identity verification with access management organizations can eliminate credentials, especially passwords and therefore, prevent most of the 74% of intrusions caused by humans. You may be thinking, this sounds like what my current vendor is claiming by taking you passwordless. There is an important differentiation to what I am suggesting here. Passwordless authentication is a little better than current MFA methods. Multiple biometrics can be stored on a device, more than one face and touch ID, implementing them as a main authentication method means it’s still unknown if the user is who they claim to be. The access request has proven possession, that is all.
The move to an ID+Selfie journey, and using that selfie as a reference during authentication, combines identity verification and authentication, now siloed activities in most organizations. This approach weaves authentication into the identity fabric.
Hopefully, more organizations will take this approach and next year we’ll have another decline!