How Going Passwordless Helps Protect Against Brute-Force Attacks

Although they’ve been in use for decades, brute-force attacks are still proving popular with cybercriminals, resulting in a costly problem for victims. As the name suggests, brute-force attacks use brute-force techniques in the form of endless login attempts to gain unauthorised access to IT infrastructures. This is achieved by employing large numbers of bots that continuously try different combinations of usernames and passwords to gain access.

The attacks need to be taken seriously by IT security teams. This is because, should a cybercriminal be successful, they will be able to do everything from stealing sensitive data to infecting systems with malware.

There are many varieties of brute-force attacks that have emerged and evolved over the decades in which people have been using passwords to secure online accounts. Of these, two have emerged as the attack of choice for modern bad actors:

  1. Credential stuffing: From time to time, hackers are able to infiltrate large online services, and download massive lists of usernames (often an email address) and passwords that they then sell on the dark web. Because many people tend to re-use passwords across multiple sites, anyone who has access to these lists is able to simply try known good username/password combinations against as many sites as they like until they chance upon an account they’re able to take control of.
  2. Password spraying: Where credential stuffing tries a single username/password across many sites, password spraying takes the opposite approach. An attacker will target a single website or application with many authentication attempts. These attempts aren’t random though. By using common passwords, and known default passwords (common for admin accounts) hackers can often get access to accounts and systems surprisingly easily.

Protecting against brute-force attacks

The popularity of brute-force attacks is unlikely to decline any time soon. For this reason, organisations need to review the measures they have in place to prevent unauthorised access.

The most effective measures can be categorised as ‘good’, ‘better’, and ‘best’. They are as follows:

  • GOOD: Use strong passwords:
    Using passwords that are practically impossible to guess is the easiest way to defend against brute force attacks. Passwords should be long and contain random numbers and characters. It’s important to never use the same password across multiple websites
  • BETTER: Multi-factor authentication (MFA)
    Requiring MFA prevents breaches that result from brute force attacks and compromised credentials by adding an additional layer of security. Two or more factors need to be provided before access is granted. They can be anything from an answer to a secret question, to a code generated by phone app or token.
  • BEST: Password-less authentication:
    Making use of password-less authentication is the best way to prevent brute-force attacks. Whereas MFA verifies a user’s identity through extra authentication steps in addition to passwords, password-less authentication grants access through authentication factors other than passwords. These can include things such as email push notifications, QR codes, FIDO security keys, or biometric factors such as fingerprint scans and facial recognition.

    Removing passwords from the equation altogether eliminates the avenue for a brute-force attack.

Significant benefits of passwordless

When an organisation chooses to adopt either MFA or password-less authentication, significant benefits will be enjoyed. They include:

  • Stronger digital security: By requiring users to have additional authentication factors, even brute-force attackers who have successfully compromised a user’s credentials cannot gain unauthorised access.
  • Improved user experiences: Using these techniques will result in more streamlined interactions and transactions and help to reduce customer abandonment rates.
  • Better workforce productivity: Eliminating passwords also eliminates the need for users to reset their passwords. This can save significant time frustration and improve levels of productivity.
  • Significant cost savings: With these methods in place, the workload on helpdesks associated with password problems will be greatly reduced. This means the number of agents could potentially reduced or allocated to other areas.

Brute-force attacks are going to continue to be a fact of life for an extended period. However, deploying strategies such as MFA and password-less authentication, organisations can be well placed to withstand the attacks while still providing a great online experience for both staff and customers.

Steve Dillon
Steve Dillon is the Regional Solutions Architect at Ping Identity.