Can’t We Just Get Rid of Passwords Now?

Shape Security and F5 Labs recently published the 2021 Credential Stuffing Report, which is the product of a multi-year collaborative research project that evolved from Shape’s original Credential Spill Report. This year’s report covers the lifecycle of credential theft in detail, from the original theft of usernames and passwords, through their sale and distribution among cybercriminals, to their eventual use for fraud. The report also makes it clear that credential stuffing remains an enormous problem that demands the attention and investment of the security community. This is not a problem that is going to go away or solve itself.

At the root of these problems are the systems that authenticate users with passwords. Passwords are inconvenient and create numerous security vulnerabilities, so why can’t we just replace them?

The short answer is: there’s not a better method—yet. Companies are beholden to their users, and while most users claim to value security over convenience, their actions speak otherwise. For example, even when users’ accounts are taken over, fewer than one out of ten will adopt multi-factor authentication (MFA) because of the associated complexity and friction.

All authentication is a balance of usability, security, and deployability. To replace passwords, a new solution must equal passwords on all three fronts and exceed them on at least one. Trading off one set of advantages for another will not be enough to incentivize both organizations and users to switch.

A Better MFA

A hypothetical solution to our maximization problem is invisible multi-factor authentication (iMFA). Unlike the MFA solutions of today, which typically rely on a password combined with an SMS or one-time-password via email or a physical token, iMFA would rely on factors that are invisible to the user. Specifically, iMFA would collect and process the maximum number of effort-free signals. Let’s break that down:

• Maximum number. Web authentication is converging on a non-binary authentication model where all available information is considered for each transaction on a best-effort basis. All of the context of a user’s interaction with a website can be used to grant the best visibility into a user’s risk profile.
• Effort-free signal collection and processing. Security should be provided on the backend, so it doesn’t impede customers. By providing security without customer impact, companies can mitigate threats at minimal cost without introducing friction and upsetting users. For example, most email providers have settled for approaches that classify mail based on known patterns of attacker behavior. These defenses are not free or easy to implement, with large web operators often devoting significant resources towards keeping pace with abuse as it evolves. Yet, this cost is typically far less than any approach requiring users to change behavior.

iMFA could be implemented with a combination of tools like WebAuthn and behavioral signals.The credential storage and user verification can be securely provided by WebAuthn, and the continuous authorization can be augmented with behavioral signals. The traditional MFA factors—“something you know,” “have,” and “are”—come from WebAuthn. And the newest factor, “something you do,” comes from behavioral signals, including new types of biometrics. Further, generating this variety of signals requires just a single gesture from the user, which is far less effort than entering a password. By combining these methods, and constantly recomputing trust through machine learning, we can achieve the rare simultaneous outcome of increased security with decreased user friction.

An Interim Solution

But iMFA cannot replace passwords overnight. Change-resistant users will need a gradual transition. Websites will still have to incorporate a solution like WebAuthn into their authentication protocols. Without pressing urgency from a specific security threat, many sites will likely take their time adopting this standard. Furthermore, the integration process for a behemoth like Amazon could be extremely complicated, which is likely why there has been initial support from browser companies but not from e-commerce companies or social media sites.

If adoption of a new method will take years, what should businesses do in the meantime? Outlast the attackers by denying them their most precious resource: time. Attackers conducting credential stuffing are usually financially motivated and do not have infinite capital. If an organization can significantly increase the time it takes them to monetize their attacks, most cybercriminals will abandon the pursuit in favor of weaker targets.

Here are two examples in which businesses can introduce more time into specific steps of the credential stuffing kill chain.