Authentication & MFA Archives | Page 2 of 2

Is Social Login a Secure Login?

Social login is a form of single sign-on, where users are allowed to log into an application or website using one of their existing social media account credentials. A social login, therefore, eliminates the need for users to register on yet another online platform – saving them the need to remember yet another set of credentials.

If you are a business, you may have noticed that a social login option on your online platform has had a positive effect on the number of registrations you receive. If you are an individual user, you may have found the option to either “Sign up” or “Login with Facebook/Google” and felt relieved that you were able to access the platform in just a few seconds by choosing the latter. But have you ever thought of how secure this method of login really is?

Let us look at the various aspects that affect the security of social login.

Social networks invest more on security

Social login is, by and large, considered to be a secure login method. This is because social media platforms including Google and Facebook are huge, powerful corporations in the online world with more potential than the original business (to whose website/application you are logging into) to set up strong security measures.

One compromised credential = multiple compromised accounts

On the other hand, if a hacker does manage to crack the social account – either due to a weak password or through a brute-force attack, this puts not only a user’s social media profile under threat but all of the applications and websites in which the user has used a social login option. The problem is only made worse with advanced threats like credential stuffing.

Similarly, if an individual’s phone is stolen and unlocked, with a Facebook or Google account that is still logged in, more than just one account is again compromised.

Third-party tracking scripts continue to threaten

Research conducted by Princeton’s Center for Information Technology Policy revealed that, when you log in to a website or application using social login, a third party might be able to place tracking scripts on the website or application. These tracking scripts have the ability to steal information that you have shared with the website or application during the social login – and sometimes even more than just that!

Although Facebook has announced, post publication of this study, that it would address this loophole in their universal login API, experts say that the issue may be deeper and more complicated than that. It is a harsh reality that a number of companies today create software and tracking tools that can be used to scoop, steal and sell information from such platforms.

So, what is the solution?

While the ease and convenience of social login is undeniable, it is also becoming increasingly difficult to ignore the potential threats of using such a feature. The next time you are thinking about a social login, keep these points in mind:

Enable multi-factor authentication and risk-based adaptive authentication features that are provided by your social media network. A number of social network providers have set up these built-in security enhancement features, but they may not be enabled by default. Make sure to check your account/privacy settings and make the appropriate changes. This way, an additional layer of security will back you up even in case that your username/password are compromised.

Check what permissions are being asked of you by the website or application that you are registering to using a social login. There will be a request to access your name, public profile and a few other details sometimes. Provide only information that you think is relevant to the site and deny all others. It might also help if you go back to your social media account and check what all is part of your public profile, and change those settings in order to limit the information you are allowing someone else to access.

Use the social login feature selectively. If you are wary of a website or application, or if you are sure you will not be using it too ofteis n (and hence will not need a quick login method), then avoid logging in to them using your social media credentials. We suggest creating an email ID only for such occasional-use sign ups and using that to register instead.

If you are a business offering social login, you could offer your users with more security by integrating your application or service with an identity and access management solution (IAM) like Akku which comes with advanced features like multi-factor authentication, location-based restrictions, and suspicious login prevention. We also recommend that you speak to a cloud specialist on other cloud security measures that you can implement.

The Key to Data Security: WebAuthn

What is WebAuthn?

WebAuthn (Web Authentication API) is a global standard specification for secure authentication on the Web, formulated in 2018 by the World Wide Web Consortium (W3C).

This browser-based API allows user authentication on web applications through the creation of strong “credentials” and user-agent-mediated access to authenticators. This could be either in the form of hardware tokens (like U2F security keys) or in-built modules (biometric readers like Google Hello, Apple Touch ID) in the platform. Web Authn has garnered the support of all leading browsers like Chrome, Firefox, and Edge, and is compatible with all leading platforms.

How does WebAuthn Work?

With WebAuthn, a relying party (such as web service) can integrate a strong layer of authentication into applications with a choice of authenticators. It replaces the need for a password with the generation of a private-public key pair (credential) created for a website. While the private key is stored on the user’s device, the public key is generated randomly and shared with the server. The server then uses the public key to confirm the user’s identity.

The following steps are involved in WebAuthn:

The user opens a website using their device
On the request of the web service (replying party) through the Credential Manager API, the browser generates a new credential, specifying the user’s device capabilities.
During the registration process, the user is offered multiple authentication options. This may vary from external authenticators to biometric authenticators like fingerprint analysis or facial recognition.
Choosing any of the authenticators offered, the user completes the registration process.
The authenticator generates a key pair (a public and a private key) – the public key is forwarded to the server, the private key is stored in the user’s device

Why use WebAuthn?

The public key and private key, both need to be used in conjunction. Therefore, by eliminating the need for a “secret” such as a password, WebAuthn drastically improves data security and prevents data breaches. Even if the public key is hacked, it will not function without the private key – which is stored in the user’s device – and becomes useless.

These are some of the scenarios in which WebAuthn can be useful:

Setting up two-factor authentication (with or without passwords) that is resistant to friction and phishing
Using biometric authorization that eliminates the need for passwords
Recovering lost or stolen devices and bootstrapping of new devices

Find out how you can improve data security and prevent data breaches with Akku. Get in touch with us for a free demo today!

Beware of Credential Stuffing

In recent times, you might have noticed user accounts being compromised by the millions, and yet companies refute these claims saying that their systems are secure and have not been attacked. In these cases, the companies are right – instead of a direct attack, the hackers may have performed an attack called ‘credential stuffing’. In this type of attack, hackers get their hands on usernames and passwords of one application or service and stuff the same credentials on another login for another digital provider.

For example, if you have used the same user ID and password for creating your Facebook and Twitter accounts, a hacker who has access to your Facebook user id and password can use the same for getting into your Twitter account. This does not mean that Twitter’s systems are faulty. It simply means that your credentials have been stuffed. Credential stuffing attacks use code injection techniques to test the credentials against multiple accounts like social media, online marketplaces, and bank accounts. Once access is gained, the hacker can get access to personal information, credit card information and other personally verifiable information.

In recent times, this type of attack has gained popularity due to the fact that most users use the same user ID and password for multiple accounts. The situation right now is precarious for most online users – a recent breach of breaches has given hackers access to a whopping 2.2 billion user IDs and passwords. It is called a ‘breach of breaches’ because a few hackers hacked into millions of Dropbox and LinkedIn accounts and compiled a list of plain text credentials. However, another team of hackers hacked into this list to compile an even bigger list of stolen credentials.

If you have built enterprise applications, how sure can you be that your users have created different passwords for all your applications? There is no way for you to know for sure. However, you could put in place a password policy which prevents them from using the same password for all the applications in your network.

Akku from CloudNow Technologies allows you to set custom password policies to help you standardize the passwords set by your users. You can also leverage it to prevent the setting of the same passwords. To know more, get in touch with us now.

To Implement or Ignore: MFA for Custom Apps & Websites

Multi-factor authentication (MFA) is one of the most highly recommended security measures in this age of brute-force attacks, data breaches and other such cyber attacks. And while some off-the-shelf SaaS applications may already come with a built-in MFA feature, when it comes to a custom-built application or website, businesses have to make the tough decision between reinforced security and the high cost at which it comes.

Continue reading To Implement or Ignore: MFA for Custom Apps & Websites

The Problem with SMS-based Authentication

As mobile phones became more sophisticated, their usage shifted from being communication oriented to application oriented. But phone numbers were never intended to be used as secure identifiers – their purpose is to simply act as subscriber identifiers during call routing. When applications use phone numbers in their login processes, it can give attackers and hackers an advantage.

Here are a few ways in which your OTP can be intercepted by hackers:

Man in the Middle attack

This is a type of eavesdropping attack in which a hacker places himself as a proxy or relay between the OTP sender and receiver. For the sender and receiver, the communication will seem like it is happening only between those two, whereas it is actually passing through an impersonator. Black hat hackers often hack into financial websites and place high-level codes which will allow them to intercept messages between banks and users, making it convenient for him/her to access an account.

Malware attack

Ready-to-download malware which can easily hack into a user’s mobile devices are available online. In addition to grabbing your SMS content, these can also access other areas of your phone like your gallery and directory to extract more personal information. In fact, a few of these malware are disguised as mobile applications like fitness trackers, timers, alarm clocks, etc.

SIM cloning attack

Investigative agencies use SIM cloning attacks to monitor and track suspects. However, SIM cloning modules are easy to find and purchase by anyone if they look hard enough. Using this, a user is cut off from his/her mobile network and calls and messages are redirected to the new SIM in the attacker’s phone. To carry out a SIM cloning attack, the SIM being cloned has to be of the GSM type.

SMS-C hack attack

All messages are required to pass to SMS-C servers placed in a mobile service provider’s network. Only after being processed by the SMS-C servers is the message transmitted to a mobile phone. If hackers manage to hack SMS-C servers, they can very easily gain access to all the messages entering and exiting the network. SMS-C servers are often protected by high-end security solutions which are hard to break through. However, it is not impossible.

Brute force attack

In brute force attacks, any and all combinations of numbers are tried to get the right OTP. If the number of entries is limited, brute force attacks can become ineffective in gaining access to an account, simply due to the number of combinations available. It also helps if the OTP is 6 digits instead of 4 digits as the combinations required to successfully execute a brute force attack increases by a factor of 100. Due to such a poor success rate, brute force attacks are not preferred by hackers.

For organizations, there is no reliable way of finding if your employees’ numbers have been compromised. To ensure that your network is secure, we suggest looking for a less-risky option for authenticating your users. You could go for an improved multi-factor authentication method like using the biometrics of a person to verify his/her identity. While there are more sophisticated attacks which can hack a biometric authentication system, it would be almost impossible to recreate a person’s thumbprint or retina blood pattern.

With Akku from CloudNow Technologies, you can easily create a fool-proof identity and access management system by integrating multi-factor authentication using biometric scanners in your login process. To make a significant improvement to your network security by enforcing biometric multi-factor authentication, get in touch with us now.

Why is multi-factor authentication indispensable?

Ever heard of the butterfly theory? A single flap of a butterfly’s wings in Australia has the potential to cause a tsunami in Indonesia. Similarly, a minor tweak in your IT infrastructure has the potential to make every node of your network vulnerable to serious attacks, irrespective of their relationship. To ensure that network security remains as streamlined as possible through any number of changes to your IT systems, it is crucial to add a virtually unhackable component to your network security.

Continue reading Why is multi-factor authentication indispensable?

Password Managers can be Hacked. Now What?

On average, every person has 7.6 accounts – that’s a lot of user IDs and passwords for an individual! Remembering the user ID and password for all these accounts is obviously very cumbersome, and third party service providers have capitalized on this to provide password management services. A password manager is essentially a single repository for all your credentials. Two very popular password managers are LastPass and Dashlane. These are applications which will store your credentials in a “secure” database. However, they haven’t been spared by hackers, who breached their security to get access to thousands of user credentials.

Continue reading Password Managers can be Hacked. Now What?