Ciptor Security Insights

GO PASSWORDLESS TODAY

With Azure AD HYPR and FIDO Security Keys

Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives from email to bank accounts, shopping carts to video games.

Today, you can now completely remove the password from your Microsoft account. Our preferred choice is to use your mobile phone as a security key with our favorite technology The HYPR Cloud Platform. It is designed to eliminate passwords and shared secrets across the enterprise. By removing the hackers’ primary target, HYPR forces the adversary to attack each device individually – drastically shifting the economics of an attack back in your favor.

With the HYPR platform in place you can also use a FIDO Security Key from Feitian, Yubico, Identiv or Nitrokey to sign into your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more.

 

Connect your IdP to the HYPR Platform and you will be able to rollout True Passwordless Authentication and gain fast and easy access to your apps and resources.

See example here below how HYPR is integrated with the PhenixID (IdP) to access Citrix with SSO by using True Passwordless Authentication.

 

Bret Arsenault, the Chief Information Security Officer (CISO) at Microsoft says:
“Hackers don’t break in, they log in.”

 

Weak passwords are the entry point for the majority of attacks across enterprise and consumer accounts. There are a whopping 579 password attacks every second—that’s 18 billion every year.

Why are passwords so vulnerable? - There are two big reasons

1. Human nature

Except for auto-generated passwords that are nearly impossible to remember, we largely create our own passwords. But, given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords. Updates are often required on a regular basis, yet to create passwords that are both secure enough and memorable enough is a challenge. Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives.

Forgetting a password can be painful too. You will be shocked to learn that nearly a third of people say they completely stop using an account or service rather than dealing with a lost password. That’s not only a problem for the person stuck in the password cycle, but also for businesses losing customers.

To solve these problems and create passwords we can remember, we try and make things easier for ourselves. We often rely on known and personal words and phrases. We use our pets and family names for password inspiration and important dates like birthdays. As well we are reusing passwords across sites, and we also use a formula for creating passwords, such as; Summer2021, which eventually becomes Winter2021 or Spring2022.

2. Hacker nature

Unfortunately, while such passwords may be easier to remember, they are also easier for a hacker to guess. A quick look at someone’s social media can give any hacker a head starts on logging into their personal accounts. Once that password and email combination has been compromised, it’s often sold on the dark web for use in any number of attacks.

Go Passwordless Today!

PASSWORDLESS ROI

The Financial Benefits of Deploying Passwordless Authentication

Password Resets

Source: Adobe Stock

Forgot your password? The average cost in help desk labor for a password reset is $70.
A medium sized organization can experience upwards of 10,000 resets per year.

10,000 * $70 = $700,000 lost to password resets each year.

So, how many passwords does your help desk reset?

Data Breach Risk

Source: Adobe Stock

The global average cost of a data breach is $3.86 million.

80% of hacking-related breaches are tied to stolen or weak passwords. 
$3.86m * 80% = $3.09 M

Reduce quantifiable breach risk an average of $3.09 M by eliminating Passwords.

ECOMMERCE CHECKOUT ABANDONMENT

Source: Adobe Stock

33% of transactions are abandoned at checkout due to forgotten passwords.
The average online transaction value in the United States is $81.26.

A medium-sized eCommerce business processes 100,000 orders each year.
33% (100,000 transactions * $81.26) = $2.68 million in lost revenue can instead be generated by going Passwordless

How often are your customers abandoning their carts due to password friction?

Credential Reuse Attacks

Source: Adobe Stock

The avg cost of ATO fraud due to credential stuffing is $18,420 per account per year.
Approx. 2% of credential stuffing attempts on accounts are successful. 

A medium-sized eCommerce business has upwards of 10,000 customer accounts.
2% * (10,000 customer accounts * $18,420) = $3.68 M saved by preventing a credential stuffing attack.

How many user passwords are you storing? 

Workforce Productivity

Source: Adobe Stock

A major bank with 100,000 tellers studied their employee login times.
Each successful workstation login averaged 5 seconds.
A teller logs onto their computer approx. 70 times each day during a full-time shift.
5s * 60 = 300 seconds * 252 Work Days / 3600 = 24.5 hoursper employee spent logging in each year.
Passwordless can save an average of 24 Hours in productivity per employee per year.

That’s approximately 6,575 hours per day spent on typing passwords — talk about productivity losses!
If we base this off a 252-day work year, and an average teller pay of $18 per hour, it amounts to
nearly $45 million in hourly wages spent on logging in for the entire year.
So, how many times a day do your employees log in?

 

Our partner HYPR, a true leading passwordless multi-factor authentication (MFA) provider, has joined the Microsoft Intelligent Security Association (MISA), a consortium of experts from across the cybersecurity industry with the shared goal of improving customer security and confidence with digital services.

As a member, HYPR will have the opportunity to use Microsoft's security products and expanded network, while Microsoft customers will benefit from HYPR's True Passwordless MFA™ technology. HYPR's interoperability with Microsoft Azure Active Directory enables true cross-cloud, cross-platform passwordless login, including single sign-on (SSO), desktop multi-factor authentication, and mobile-to-web authentication for apps including Microsoft 365. This integration provides full protection against man-in-the-middle (MITM), credential stuffing, phishing, and mobile PUSH fatigue attacks. This joint solution raises the bar on protecting workforce identities by requiring the attacker to target each individual device, to cause widespread impact and damage.

"HYPR has long had the belief that passwords are archaic, costly, plagued with risk and undoubtedly the weakest link in many corporate security protocols and strategies. Joining MISA only solidifies our vision to eliminate the password, accelerate the cloud journey of our customers, while protecting their organization against vulnerabilities," said George Muldoon, Vice President of Strategic Alliances, HYPR. "We are excited to join MISA and benefit from the knowledge and resources shared by the other members of the association."

"Microsoft has been on a mission to eliminate passwords and help people protect their corporate identities," said Alex Simons, Corporate Vice President of Program Management, Microsoft Identity Division. "We are pleased to see companies like HYPR support that goal by integrating their solutions through the Microsoft Intelligent Security Association."

What is HYPR

HYPR is a leader in Passwordless Multi-factor Authentication (MFA). 

With HYPR installed you will be able to protect workforce and customer identities with the highest level of assurance while enhancing the end users' experience. The HYPR approach shifts the economics of attack and risk in the enterprises' favor by replacing password-based MFA with Passwordless MFA.

With HYPR, customers can finally enable cross-platform desktop MFA, stop phishing, and reduce fraud associated with weak or stolen passwords.

Welcome to The Passwordless Future. It's time to reimagine identity security.

Bank of America announced last month that starting June 23rd, 2021, it will support FIDO2 certified USB security keys, including FEITIAN Security Keys, to increase the security of its users and help protect customers against fraud and identity theft.

Bank of America will support registering your USB security key to your account, online banking authentication and an extra layer of security for adding transfer recipients to your account and completing money transfers.

The support for FEITIAN FIDO2 certified security keys for sign-in authentication and completing money transfers is a major security milestone for financial institutions. Read more.

Benefits of using a security key for online banking

  1. Extra layer of security for account sign-in and online banking
  2. Using a security key Increase limits for certain transfer types
  3. Extra security for higher value money transfers
  4. Use Secured Transfer internationally if you don’t have a U.S. based mobile number. USB security keys are an optional alternative to SMS-based one-time security codes if you do not have access to a U.S. mobile phone number or can’t receive texts to your phone.
  5. USB security keys are a more secure alternative to SMS-based one-time security codes. If you don’t have a domestic mobile phone number or can’t receive security codes via text, you can use FEITIAN USB security keys that plugs into your computer. 


Security Key FAQS

What is a USB security key?

A USB security key plugs into your computer’s USB port and functions as an extra layer of security that’s used in Online Banking to increase limits for certain transfer types.

Why do I need a USB security key?

USB security keys are an optional alternative to SMS-based one-time security codes if you do not have access to a U.S. mobile phone number or can’t receive texts to your phone.

Where can I get a USB security key?

USB security keys can be purchased from our online store: www.it-safe.shop

How do I register my USB security key?

You will be able to register your USB security key beginning June 21.

How do I use my USB security key when making a transfer?

When prompted for your USB security key, all you need to do is tap the button on the key already inserted into your USB port, allow the browser to read your device and continue with your transfer.

Source: https://www.bankofamerica.com/security-center/faq/additional-security-features/

 

Each employee password reset costs an average of $70. How many times have you reset your password this year? The number of passwords we're managing continues to grow as our digital identities become more complex, so how do we keep our credentials secure?

This podcast are talking about the pathway to the future - Passwordless Authentication.

Sam Tang, EY's Cyber Chief Identity Architect, Rob Foster, EY Cybersecurity Senior Manager and George Muldoon, HYPR Global Alliance Leader and subject matter resource in passwordless authentication in their discussion on common obstacles and cutting-edge solutions when using passwords.

Listen to the podcast on the following link: Podcast Passwordless Authentication