Identity-related attacks & identity protection

At first glance, identity protection seems like a topic that has already been thoroughly covered. Nevertheless, recent statistics and security reports consistently show that identity-related attacks remain among the greatest risks facing businesses.

In Europe alone, nearly 60% of all identified security incidents begin with compromised cloud accounts. If successful, attackers use methods such as lateral movement to obtain login credentials for privileged accounts with high permissions in order to gain access to the crown jewels of the infrastructure.

Protection against identity theft within the framework of Identity & Access Management is so easy to implement. Nevertheless, only about 65% of all German companies use multi-factor authentication (MFA), and only about 20% have achieved an optimized maturity level for digital identity management. However, nearly 70% of large enterprises rate their maturity level as advanced or higher. Is this a misjudgment, given that 60% of all attacks are based on compromised accounts?

In the cloud era, identities form the new security perimeter, even if, admittedly, this boundary is no longer new. Many companies still think too much in terms of demilitarized zones (DMZs) surrounded by firewall systems. However, since the onset of the COVID-19 pandemic at the latest, the number of employees working from home is likely to have increased significantly. These employees often use direct access to cloud-based services without going through their own on-premises security infrastructure via a VPN connection. This makes it all the more important to pay closer attention to digital identities during authentication and authorization.

These trends go far beyond the limits of MFA and the use of passwords as the sole line of defense. Passwordless logins are leading the way, making it much easier for employees to log in and relieving the user help desk of requests to reset passwords.

Phishing protection: Passkeys use public-key cryptography. The private key remains on the user’s device and is never shared, unlike the public key, which is shared with the service. The private key is well protected against phishing attacks.

No password reuse: Since passwords are unique for each service, there is no risk of password reuse across different websites. This is a common problem with traditional passwords, which can lead to multiple account takeovers using the same stolen credentials.

No central password storage: Service providers do not store passwords, but only public keys, which are useless without the corresponding private keys. This means that even in the event of a data breach at a service provider, attackers cannot obtain user data.

Local authentication: Authentication takes place locally on the user’s device, significantly reducing the risk of credentials being intercepted during transmission.

Multi-factor authentication (MFA): Passkeys can serve as a form of multi-factor authentication by combining something the user has (the device on which the private key is stored) with something the user is (biometrics) or something the user knows (a PIN).

Physical security keys: FIDO also uses public-key cryptography and is based on physical security keys (e.g., YubiKey), which also rely on biometric methods. Attacks on FIDO are extremely difficult to carry out, as no passwords are used and the private keys required for encrypted authentication remain on employees’ devices and are additionally protected by biometric methods. However, outsourcing biometric data to third-party servers increases the attack surface.

Physical characteristics: Biometric methods are now standard and offer the enormous advantage that users can use physical characteristics for authentication. However, fingerprint, facial, or iris scans are only as secure as the employee’s control over these physical characteristics—we’re all familiar with the method from various crime films where perpetrators unlock victims’ cell phones. Biometrics, however, has a decisive disadvantage: biometric data must be stored permanently, which raises data protection concerns, and cannot be changed. Once this data is compromised, the gates are wide open.

Authenticator apps: OTPs (one-time passwords) are increasingly used via authenticator apps on mobile devices and offer a quick-to-use option for an additional authentication factor.

Adaptive Authentication: This is not a standalone method, but rather an adaptive extension of an anomaly-based approach. The risk of a login is assessed based on various factors and contextual information. Real-time analyses identify, for example, the location, time, or network to either allow a login and verify the user through additional authentication methods or to deny authentication.

OAuth 2.0: As an open protocol, OAuth 2.0 uses tokens for authentication on the internet, making it an ideal choice for public cloud services. Login credentials do not need to be re-entered each time, as the token has a lifespan before it expires. Unlike Kerberos, however, the token is linked to the service rather than the user or the computer. It enables an app in the user's computer to access a cloud service and the data published by it.

SSO: Unlike OAuth 2.0, Single Sign-On uses a user token, which is issued upon entering the username and password. Similar to OAuth 2.0, the token also has a lifetime and does not require the user to re-authenticate each time. The validity period of the token can be configured. Only after the validity period has expired is a completely new authentication process required to issue a new token.

Denken Sie bei all Ihren Schutzmaßnahmen immer daran, dass der Faktor Mensch extrem wichtig ist. Letztendlich basieren viele erfolgreiche Angriffe auf Identitäten auf Phishing-Angriffen, die von Mitarbeitenden nicht als solche erkannt wurden. Hier ist der wirksamste Schutz immer noch die Durchführung von regelmäßigen Security Awareness Trainings für Mitarbeitende begleitet von regelmäßigen Simulationen via Phishing E-Mails.