Attacks and account take-overs like the recent Twitter hack are completely avoidable. Enterprises must implement biometric multi-factor authentication to ensure that only the right users have access to the right systems at all times. If they don’t, users will continue being vulnerable to hacks and scams.
“A New York Times report that has yet to be confirmed by Twitter said that hackers breached employee Slack accounts and found credentials for the Twitter backend pinned inside a Slack channel,” — ZDNet
The hackers responsible for last week’s attack were able to breach Twitter’s backend systems by stealing credentials from within the social media platform’s private employee Slack channel. Once inside Twitter’s systems, the attackers were then free to take over at least 103 accounts and download the personal data of at least 8 accounts.
In light of this unprecedented attack, we have to ask ourselves some serious questions — what were login credentials doing on the public Slack channel in the first place? Why were they posted there publicly for ease of access? How did the hackers get access to Twitter’s slack? Were those credentials phished out of an employee in an advanced social engineering attack?
If there’s one thing that’s certain, it’s that passwords are inherently insecure, and failing us. Despite the known security risks, even the world’s biggest companies still struggle with enforcing proper password hygiene.
Why then, are companies like Twitter still using passwords as a means of accessing their backend systems, when biometric multi-factor authentication solutions for the workforce are on the market?
To avoid disastrous hacks and breaches, companies must immediately stop using passwords to authenticate employees and start embracing biometric multi-factor authentication as a weapon to permanently end hacks caused by compromised credentials.
Biometric multi-factor authentication can help secure corporate systems by removing human error from the equation altogether. Unlike passwords, biometrics can’t be easily stolen, faked, or phished. Biometrics also can’t be shared between multiple users, written down and published online, or forgotten.
If Twitter (and Slack) were using biometric multi-factor authentication, the entire attack could have been foiled — saving Twitter and Slack their respective reputations, and Twitter’s users hundreds of thousands of dollars.
Biometric multi-factor authentication solutions allow for seamless and secure authentication that is minimally disruptive to workflow and the user-experience. This means biometric MFA can be used to set stringent access controls for users, ensuring that only the right people have access to the right systems at the right time.
In last week’s attack, once the hacker gained access to Twitter’s systems via the compromised credentials found on the company’s Slack channel, they were then free to move through the network until they found a way to hack the accounts of prolific users.
The hacker’s ability to move through the network indicates that Twitter wasn’t using MFA to secure employee access at multiple entry points to its corporate systems.
Access controls ensure that lower-level employees aren’t able to move through a network, meaning that if a single set of login credentials are compromised, a hacker can’t then use them to freely move within a network until they find sensitive and private data.
Having biometric MFA checks at each access point in Twitter’s system would have prevented the attacker from moving laterally through Twitter’s network, which would have stopped them from breaching multiple systems.
“Twitter said hackers got “through” their two-factor protections but did not specify if it referred to the backend accounts or the Slack accounts.” — ZDNet
Why didn’t Twitter’s two-factor authentication stop the attack?
The short answer is obvious: Twitter’s 2FA solution still relies on passwords — which are inherently insecure.
Twitter uses 2FA solutions that combine passwords (something only the user should know) and one-time codes (sent to either the user’s phone via SMS or push or the user’ email address — which only the user should have access to) to authenticate its users.
The problem with 2FA solutions that partly depend on passwords is that one half of the entire solution is unreliable. If a password is compromised or shared willingly between people (as was the case with credentials being pinned in Twitter’s Slack), all a bad-actor then needs to do is compromise the user’s device or email accounts to bypass 2FA. Unfortunately, this is easily done if the user’s passwords for these accounts have also been compromised.
One-time codes (the second half of 2FA solutions) sent via text or email have their own security risks; if an email account or phone number has been compromised without the victim’s knowledge, then bypassing the 2FA security becomes entirely possible.
Biometric multi-factor authentication solutions depend on the user proving who they are via their unique biometrics (something that can’t be easily stolen or faked), and via proof that they have their registered device (by only logging into accounts from these devices). With biometric MFA, the reliably strong methods for authenticating users are fundamentally more secure than 2FA solutions that depend on inherently insecure authentication methods.
While biometrics remove human error from the cybersecurity equation, they aren’t necessarily immune to being hacked — that’s why it’s critical that biometric multi-factor authentication solutions are also privacy-enhancing.
At Keyless, we combine multi-modal biometrics with privacy-enhancing technology to provide a passwordless, secure, and privacy-enhancing authentication solution. Our multi-factor solution can be implemented at every access point, ensuring that only the right users have the right access at the right time.
“Designed with privacy in mind”
By providing a secure, frictionless way to establish access controls at multiple entry-points, Keyless prevents unauthorized movement through a company’s private systems. This protects from threats like the Twitter hack, where an unauthorized user wreaked havoc simply by stumbling upon a set of compromised credentials.
Keyless uses privacy-enhancing technology to transform biometric data so that it never represents personally identifiable information. This is done via a one-way encryption function. The transformed data is then split into fragments and stored on different servers (nodes) in the Keyless Cloud Network (instead of on the user’s device). This means that even if one (or all) of the nodes are compromised, a user’s personal information is never at risk of being compromised.
Keyless uses secure multiparty computation — a privacy-enhancing technology — that allows multiple nodes in our network to authenticate users without needing to view the raw components of the data.
To protect end-users and organizations against fraudulent takeovers, Keyless leverages advanced liveness detection and anti-spoofing techniques, in addition to the built-in multi-factor security. This allows Keyless to ensure that only the real user gains access to private accounts.
At Keyless, we believe biometrics are the answer for solving the key challenges that have arisen in cybersecurity, which ultimately led to the Twitter hack last week.
Biometric multi-factor authentication allows us to close the gap between security, privacy, and convenience. By leveraging biometric solutions, organizations can offer both a seamless authentication experience and powerful security. Thereby putting a permanent stop to hacks and threats caused by compromised or weak credentials.
If companies want to avoid future large-scale attacks and hacks like last week’s Twitter hack, then they should immediately be looking to ditch passwords for good. It’s time for enterprises and technology companies to embrace passwordless authentication to secure corporate systems, implement access controls, and protect their users.
If they don’t, they’ll leave themselves and their users vulnerable to financial scams, privacy breaches, fraud, and identity theft.
Originally published by Keyless on medium.com/KeylessTech.