Auth0 announced the launch of its inaugural security report: The State of Secure Identity. This detailed report highlights key areas of concern for security professionals responsible for managing digital identities, including the exponential rise of credential stuffing attacks (automated attempts to compromise a large number of user accounts with stolen credentials), fraudulent registrations, and the widespread use of breached credentials.
Recent headlines and high-profile cyberattacks give today’s security professionals a wide swath of serious threats to worry about. The primary goal of cybercriminal activity is to access critical resources, systems, and personal data, yet systems that can be put into place to minimise the risk of attack — like identity management — often get deprioritised. Lack of budget, resourcing, or attention on managing digital identities give threat actors a prime opportunity to take advantage of these discrepancies and surreptitiously execute their attacks.
Research into Auth0’s global customers over the past year found these key facts and figures:
- In the first 90 days of 2021, credential stuffing accounted for 16.5% of attempted login traffic on its platform, with a peak of over 40% near the end of March — all of which Auth0 detected and prevented.
- Travel & leisure and retail are the top two industries most affected by credential stuffing attacks.
- The number of fraudulent registrations vary by industry vertical, but roughly 15% of all attempts to register a new account can be attributed to bots.
- In the first 90 days of 2021, the Auth0 platform detected breached passwords at an average of more than 26,600 per day, with a minimum of just under 7,300 and a high on Feb. 9, 2021 exceeding 182,000.
“Securing customers’ identities is made more difficult by industry-wide failures to protect data. The prevalence of breached passwords and the availability of automated attack tools makes the humble password a protective measure from the past,” said Duncan Godfrey, VP of Security Engineering, Auth0. “The State of Secure Identity Report is designed to share our unique identity security insights and recommendations with the industry so that application builders and developers at any organisation can take the steps they need to improve their overall security posture and make things more secure for end-users.”
The most prevalent threats detailed in the report include Credential Stuffing (the most common threat observed by Auth0); Fraudulent Registrations; Multi-factor Authentication Bypass; Breached Password Usage; and other common identity attacks.
In response to these threats, Auth0 has launched Auth0 WebAuthn Passwordless, an authentication feature that enables end-users to seamlessly log in with a biometric identifier — such as facial recognition or a fingerprint — as a convenient and secure alternative to a traditional password. Removing the need for long, complex passwords, Auth0 WebAuthn Passwordless provides a frictionless experience for end-users, while reducing the significant password management burden for companies.
“Despite ongoing guidance around proper password creation and repeated warnings against password reuse, consumers crave convenience and continue to use the easiest and most convenient path for application access,” said Shiv Ramji, Chief Product Officer at Auth0. “A passwordless future is largely being driven by two primary forces — security and convenience. Companies want to secure the vulnerabilities that come with passwords, and they also want to offer their users a better digital experience. Auth0 WebAuthn Passwordless is a modern option for organisations looking to attract and retain users.”
With Auth0 WebAuthn Passwordless, users can authenticate with Web Authentication-powered (WebAuthn) biometrics, the official web standard for passwordless authentication as published by W3C and used by FIDO, for first-factor authentication. This form of authentication eliminates security weaknesses based on password reuse, since passwords are not required. Additionally, Auth0 WebAuthn Passwordless is an ideal option for companies looking to build and provide an authentication experience supporting conversion and retention of users who want more choice and less friction in their login experience.
Auth0 WebAuthn Passwordless eliminates the need for users to enter username and password credentials and enables simpler login with a biometric identifier such as facial recognition like FaceID, or a fingerprint scan on a mobile device or laptop. The biometric data remains stored on the device, alleviating privacy and security concerns for end-users. The feature also allows end-users to progressively enroll devices one at a time, as they use them, without needing a centralised portal, giving them the flexibility of having multiple passwordless authentication options — an advanced, unique capability that maximises end-user adoption and enables a faster transition from passwords to passwordless, benefiting both end-users and organisations.
The post New State of Secure Identity Report reveals the most pervasive threats to digital identities appeared first on .
