For too long, the email-password duo has been our digital keychain. But there's a catch: email is a hacker's paradise. A crafty fake login page, and bam! Your password's gone. Considering we interact with our emails countless times daily, the odds of slipping up are not in our favor.
In the last couple of years, you've likely encountered a surge in passwordless sign-in. Be it a magic link or a one-time code zapped to your inbox, these alternatives promise a no-password nirvana. And sure, waving goodbye to your password manager sounds great until you're waiting on that email to log in. As someone who leans on 1Password for a swift entry, this waiting game feels like a step back.
Let's face it, emails are a mixed bag:
But how secure is your inbox? Even with MFA (Multi-Factor Authentication), are you sure to be the only one that read your emails? Today's mailboxes, especially in businesses, are intertwined with a plethora of cloud services and apps like CRM or Calendar that have direct access to your mailbox to read and send email with.
Phishing and social engineering are rampant, with a staggering 3 billion phishing emails dispatched daily. As per the “Swiss Cyber Institute” there is 1.5 million new phishing websites created every month! Those websites are all fake authentication portal to either major cloud services such as Microsoft, Google, Salesforce or specific enterprise authentication page specially crafted for the campaign.
It's the elephant in the room we can't ignore. Once someone infiltrates your email, the dominoes fall swiftly:
MFA's introduction was a game-changer, making account breaches a tougher nut to crack. Yet, it's not foolproof. Tactics like sim swapping and relentless push notification spam have found their way around it. And if malware has compromised your device, consider it game over.
MFA comes in various flavors, from U2F codes to mobile app confirmations and or hardware utility like Yubikeys. While security is robust, the user experience often leaves much to be desired, making it a chore for many to set up and use.
Passkeys are reshaping web authentication, harnessing WebAuthn/FIDO2 credentials to offer a streamlined, secure login method. By leveraging the Web Authentication API, browsers can now utilize a secure element to manage passkeys.
Traditionally, 2FA involves "something you know" (like a password) and "something you have" (a token or code). Passkeys aim to consolidate these steps with a cryptographic key, blending "something you have" with "something you do" (biometric verification). However, this fusion has sparked debate over whether it truly counts as two-factor authentication since it merges the authentication process into a single step.
Despite the controversy, industry leaders like Auth0 are backing passkeys for their security leap, suggesting that 2FA could be skipped if sign-in is done with passkey.
Adopting passkey authentication might seem like you've hit cybersecurity gold, shielding your users from keyloggers and password manager breaches (hello 👋 LastPass). But what about account recovery? If access to that email is still possible, you're back to square one.
Imagine exploiting a vulnerability in a popular app like a CRM that is connected to your mailbox. Hijacking accounts would then be alarmingly simple. This highlights why email shouldn't be the go-to for account recovery, despite its ubiquity in user communication.
To circumvent this, platforms implementing 2FA now offer backup codes for account recovery, sidestepping the need to rely solely on email. It's crucial to let users set up multiple second factors, ensuring they're never locked out of their accounts.
While email remains a standard communication tool, its reliability as a security factor is questionable. This is the gap that Ory authentication aims to bridge.
Where most authentication provider rely only on password reset using email confirmation link, Ory provide a way to enforce the account reset via providing first the recovery code.
I'll delve more about Ory authentication into in an upcoming post. Stay tuned, and let's navigate the evolving landscape of digital security together.
Join our exclusive mailing list to receive the latest in cloud best practices, security exploit analysis, and insightful blog posts. Tailored for those who value staying ahead in the ever-evolving world of IT and security, our newsletter is a once-a-month treasure trove of knowledge, directly to your inbox.
No SPAM, just pure value.
Copyright © 2024 Plab. All rights reserved.