Why it's time to stop relying on static credentials
Static credentials are vulnerable to exposure via social engineering attacks and data breaches.
The vulnerability of static credentials
Most recently it was T-mobile, tomorrow it will be another major company falling victim to a major data breach. As long as fraudsters are in business, companies will continue to have customers’ data exposed. The data that most cybercriminals are going after is related to consumer credentials, which are highly valued in the underground scene. This data is purchased by other criminals to perform all sorts of attacks including SIM swaps, phishing, creating fake accounts, and social engineering attacks.
To be clear, when I say static credentials I mean any user credential that doesn’t change or is very rarely changed including passwords, SSNs, name, date of birth, email address, zip code, and phone numbers. Biometric data such as facial traits and fingerprints are also included since changing your face requires expensive and invasive surgery.
Every static credential has the potential to be found, stolen, and copied. It doesn't matter how well you protect customer data, others who have access to these credentials may not be so careful and this is something that is harder to control.
To avoid future data breaches the only solution is to move away from static credentials toward dynamic credentials that are constantly changing and therefore have no value once stolen since they are rapidly obsolete. Developers need to enable their users to authenticate with dynamic credentials.
What is a dynamic credential?
A credential is a piece of information that can be used to authenticate an individual and it is dynamic if it changes continuously while still being relatable to a unique user. There are two main types of dynamic credentials used currently for authentication: One-time passwords and behavioral analytics.
A one-time password (OTP) is a password that is valid for a single session and usually expires in a few minutes. The main security issue with OTPs is that they can be intercepted if the transmission channel is compromised, such as SMS that can be intercepted at scale and also because the phone number can be compromised by a SIM swap attack. Another drawback is that OTPs create too much friction for the user, requiring them to have access to their device and be connected to the network, thus negatively impacting the user experience.
Behavioral analytics is a probabilistic approach that consists of comparing a stream of real-time data to a model linked to digital identity. If there is a good match, the user is then authenticated. There are different types of behavior that can be analyzed and it is recommended to combine a few options. Traditionally for web applications, keystrokes, mouse movements and touch-screen gestures have been widely adopted but don't provide enough accuracy to be used as a single factor for authentication and are more commonly used in combination with other factors such as passwords, OTPs and biometrics.
More recently, as mobile has developed to become the predominant communication channel, location behaviors have started to be leveraged for authentication and have proved to be strong enough to be used as a stand-alone authentication factor. Location behavior patterns are unique to each person and allow for identification with extremely high accuracy. At Incognia, in the past 12 months, hundreds of millions of logins with location permissions granted had no ATOs, with a false-positive rate below 0.001%. It's important to note that this performance is only reachable due to strong location spoofing detection capabilities and high precision location, using multiple network signals such as WiFi, Bluetooth and GPS analyzed in combination.
For the mobile and IoT era, location behavior analytics is the option that delivers the highest security and the best user experience, given that users don't need to do anything other than be themselves. Using location, Incognia creates a behavioral fingerprint that enables the unique and correct identification of almost 100% of users. In combination with strong device identification, location as a behavioral trait delivers unprecedented performance. 90% of the legitimate logins and 95% of legitimate sensitive transactions happen when users are at trusted locations, which are the places the user visits most frequently.
The adoption of the Incognia solution has grown from 0 to 1.5 Billion monthly sessions within 12 months, which is a good indicator that the market is ready to move away from static credentials and adopt dynamic credentials to protect user accounts.