Three Common but Risky Authentication Practices to Avoid

Three Common but Risky Authentication Practices to Avoid

October 10, 2018
Brian Whitaker
Product Marketing Manager

Enterprises may think they are secure, but some common industry practices are enabling hackers to more easily hack into presumably protected networks. All that is required for a corporate network break-in is one set of stolen credentials, and practices such as password-only authentication, SMS/email for MFA and password vaulting can put an organization at a high risk of breach.

Considering October is National Cyber Security Awareness Month, it’s a good time to ask, do you know if your authentication methods are secure? Here’s a look at the three common but risky authentication practices.


Password-only Authentication
Many websites and applications today still support only single-factor authentication based on passwords. Given the success of hackers acquiring passwords through directory breaches or phishing, this is a very dangerous practice.

Consider: In 2017, 1.4 billion passwords stolen from a variety of sites including Netflix, LinkedIn, MySpace, dating site Zoosk, and popular games like Minecraft and Runescape were accessible in the dark web. The availability of these credentials is made even riskier by the fact that many users reuse passwords, potentially compromising additional sites. And in Verizon’s 2018 Data Breach Report, stolen credentials were still the top cause of data breaches. As the report notes:

 “The use of default or easily guessable passwords is as en vogue as tight rolling your jeans. Stop it—in fact, passwords regardless of length or complexity are not sufficient on their own. No matter who administers your point of sale (POS) environment (whether in-house or outsourced) they should be required to use two-factor authentication.”

Secure multi-factor authentication (MFA) methods including utilizing push notifications with biometric authentication methods such as fingerprint and facial recognition or utilizing wearable devices to authenticate offer strong security, ensuring your users are who they say they are. A tradeoff involved in requiring two-factor authentication can be user convenience. If a 2nd factor is always required, it can add friction to user experiences. A way to balance security with user convenience is with adaptive authentication. Adaptive authentication can evaluate user and device contexts such as IP addresses, geolocations, behaviors and more to identify risky scenarios when MFA should be required.

Not all multi-factor authentication methods are equally secure, however, and that leads us to our next topic:


SMS/Email for MFA
Multi-factor authentication is intended to be a high hurdle to ensure that a user is who they say they are. However, utilizing email and SMS as a 2nd authentication factor is often a hurdle that hackers can easily overcome. In the case of e-mail, if the user utilized common credentials between the hacked login and their email login then it obviously is very easy for the hacker to intercept the second security factor. This enables hackers to gain easy access to applications.

In the case of SMS messages, a fundamental weakness is that phone numbers are not tied to devices. This enables “SIM swapping” where hackers are able to fraudulently spoof a phone number. This can be done by a convincing a low-level phone company employee that the user is switching carriers and needs to port their phone over. Another option for scammers is to directly bribe phone company employees to swap SIMs for them. This is a serious threat and should give IAM professionals second thoughts about utilizing SMS for MFA purposes. Also as Wired reports in their article, “So Hey You should Stop Using Texts for Two-Factor Authentication”, there are additional ways hackers can gain access to SMS texts. This includes setting up fake cell phone towers known as IMSI catchers or "stingrays" to intercept text messages or exploiting weaknesses in telecom communication protocol to intercept calls or text messages.

In fact, the National Institute of Standards and Technology (NIST) marked utilizing Public Switched Telephone Networks (PSTN) as restricted in its guidelines and stated "Verifiers SHOULD consider risk indicators such as device swap, SIM change, number porting, or other abnormal behavior before using the PSTN to deliver an out-of-band authentication secret." Reddit, unfortunately, experienced the risk of using SMS as an authentication method when its systems were recently breached. "We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," stated their chief technology officer, Christopher Slowe. Reddit has since encouraged users to switch to token based two-factor authentication to enhance security.


Password Vaulting
Password vaulting is another common risky practice for securing passwords. Vaulting has the benefit of enabling users to choose passwords that are more challenging to remember, but vaults also become high-value targets for hackers. This can be seen in the hacking of password managers Onelogin and LastPass.

These password vaults clearly are not always as secure as their claims would indicate. This, in fact, was tested by a team of security researchers called TeamSIK from the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt, Germany. They tested nine of the most popular Android password vaults and found “the overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks.”

In alignment with these findings, Gartner, in their 2018 Magic Quadrant for Access Management report, recommends against using password vaults “unless the customer is willing to accept the associated risks of potential password compromise.” Gartner recommends that “standards-based federation should be used instead, whenever possible”.

This is why it is critical to use an identity and access management (IAM) solution that supports the latest federated standards such as SAML, OAuth 2.0, OpenID Connect, and WS-Federation. The use of identity standards ensures the secure delivery of identity attributes and enables a wide range of use cases.


The Solution: Modern Identity and Access Management
Password hacking could be easily mitigated by forgoing the practices mentioned above and instead using a modern identity and access management (IAM) solution. Modern IAM, built on open standards for maximum interoperability and extensibility, enables you to achieve better security and compliance while delivering a superior user experience.

Modern IAM also helps you avoid risky authentication methods by enabling you to follow these best practices:

  1. Don't use passwords as your only authentication factor but instead require MFA.
  2. When you require MFA, try to use push notifications, hard tokens, or other methods more secure than SMS or e-mail.
  3. Finally, don't put your user passwords in the crosshairs of hackers by storing them in a password vault. These are common practices we see all too often, and avoiding them can drastically reduce your risk of breach.


Ping Identity offers a complete standards-based platform that securely connects customers, employees, and partners to their cloud, mobile, SaaS and on-premises applications, greatly reducing the risk of stolen passwords.

Learn more about how you can stop using password vaults and instead use federated single sign-on (SSO) by utilizing PingFederate and switch from using password-only authentication to secure MFA with PingID.