In 2023, we saw the continued rise of data breaches across the globe. In fact, just 9 months into last year, data breaches were up by 20% over 2022, according to a study from Apple, signaling the relentless upward trend of cyberattacks. What’s more, according to IBM, the average cost of a data breach was $4.5 million in 2023, the highest average on record.

Many of the breaches reported resulted from stolen credentials at the hands of attacks such as ransomware, credential stuffing, phishing, smishing, vishing, social engineering, and more. These attacks are not new, yet organizations still fall victim to them. One reason why cyberattacks have such a high success rate is that organizations aren’t modernizing security tools, processes, and policies to align with the evolving threat landscape and sophisticated tactics of cybercriminals.

Authentication is a prime example of this problem. Many organizations think they’re protecting sensitive company and customer information stored online with passwords and basic multi-factor authentication (MFA). However, the plethora of successful phishing attacks of late has proven that these traditional authentication methods are no longer enough. In fact, the continued use of passwords leaves organizations more vulnerable than ever before.

To be truly protected, organizations must implement passwordless, phishing-resistant MFA. And, don’t just take our word for it. The Cybersecurity Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the U.S. White House Office of Management and Budget (OMB) have all given guidance to this effect.

Notable 2023 Data Breaches and Why They Happened

Before we get into the details of passwordless, phishing-resistant MFA, let’s look at a few of the top attacks that occurred in 2023 and what we can learn from them.

Norton LifeLock

This well-known antivirus protection company fell victim to a cyberattack last January. The attack involved the company’s Norton Password Manager and affected nearly 1 million customers.

Norton LifeLock’s data breach notice said the incident was likely due to a credential stuffing attack. This type of attack occurs when previously exposed or breached credentials are used to access accounts on different sites and services that share those same passwords. In short, the culprit here is password reuse. Cybercriminals take advantage of combinations of dumped breach data to login, not break in.

To remedy the situation, Norton LifeLock reset the passwords for all affected accounts and recommended affected users change their passwords immediately (as well as other accounts that may have shared the same password).

23andMe

In October, 23andMe, which provides DNA genetic testing and ancestry services, was also a victim of a credential stuffing attack, revealing vulnerabilities in protecting sensitive genetic and personal information of its customers. The breach happened when unauthorized access was gained to the “DNA Relatives” capability, where users can share their personal data, such as ancestry reports and matching DNA segments.

Personal information of its users, including display names, date of birth, sex, and genetic ancestry results were exposed. At first, data from one million users of Ashkenazi Jewish descent and 100,000 users of Chinese descent were stolen. Later, it was revealed that four million general accounts were compromised.

In response to the incident, the company required all customers to utilize email two-step verification and advised them to change their login information to enable MFA.

Okta

Also in October, Okta confirmed that a threat actor used a stolen credential to access its support case management system to steal customer session tokens that could then be used to break into the networks of Okta’s 18,000 customers. Customers include big organizations such as 1Password, OpenAI, CloudFlare, and T-Mobile, among many others.

In the breach, hackers obtained the full names and email addresses of most customers. Additionally, in some cases, they also accessed phone numbers, usernames, and employee role details. Okta’s chief security officer warned customers of the possibility of being targeted via phishing emails as well as social engineering attacks.

Once the breach was discovered, Okta advised all customers to use MFA and phishing-resistant authenticators, such as physical security keys. This recommendation is by far the best advice of the three breaches we’re highlighting, and here’s why.

The Future is Passwordless, Phishing-Resistant Authentication

As mentioned, many organizations today still rely on passwords and basic MFA to protect themselves. It’s clear these strategies no longer work against threat actors who can easily execute a number of different attacks to simply login or bypass traditional MFA methods. The above three examples bring to life just what happens to organizations that use authentication methods that can be easily hacked.

So, how can organizations course correct and become phishing resistant? The answer lies in passwordless, phishing-resistant MFA. Let’s break down what we mean by this.

Passwordless seems straightforward, but you should be aware that while many vendors claim to offer passwordless solutions, many only hide the password or shared secret from the end user – behind the scenes; however, the information is still there and can be compromised by cybercriminals.

Axiad provides what we like to call “no password passswordless” solutions that provide authentication without requiring a password or other shared human secret. If there’s no password or shared secret to steal, phishing attacks cannot succeed.

Taking this one step further, organizations can layer on phishing-resistant MFA. Here, too, vendors can make false claims about their products that confuse organizations. No matter what a vendor claims, the following authentication methods are not phishing resistant: passwords, SMS and voice MFA, one-time passwords and token-based OTP, and mobile push with number matching. The only two truly phishing-resistant forms of MFA are certificate-based authentication (CBA) backed by Public Key Infrastructure (PKI) and authentication technology complying with the Fast Identity Online (FIDO) standard. To learn more about what is and what is not phishing-resistant, read our recent blog here.

Summary

In summary, breaches stemming from compromised passwords and stolen credentials continue to dominate headlines. To end this trend, organizations must remove the bait – passwords – and strengthen their authentication by becoming phishing resistant.

Our Axiad Cloud platform helps companies do just this by securely connecting people and machines to data and applications from anywhere – without business disruption – in an integrated, systematic fashion. The platform offers multi-factor authentication, phishing-resistant authentication, certificate-based authentication for IAM, passwordless orchestration, and PKI as a service. And, it’s proven to help organizations become phishing resistant.

To learn more about how you can begin your passwordless, phishing-resistant journey, request a demo or contact us today.