FB pixel

Okta report on credential stuffing attacks marks another blow against passwords

Automation, availability of stolen login credentials fuel attacks mirroring Cisco assault
Categories Access Control  |  Biometrics News
Okta report on credential stuffing attacks marks another blow against passwords
 

San Francisco’s Okta says a wave of credential stuffing attacks that is “unprecedented” in scale uses the same infrastructure as attacks on Cisco’s VPN services earlier in April. The trend is sure to reignite discussion about the dubious security of passwords and potential alternatives that use security keys or biometric authentication.

A post on the company’s blog, entitled “How to Block Residential Proxies using Okta,” says that “over the last month, Okta has observed an increase in the frequency and scale of credential stuffing attacks targeting online services, facilitated by the broad availability of residential proxy services, lists of previously stolen credentials (‘combo lists’), and scripting tools.” In credential stuffing attacks, bad actors with access to large lists of names and passwords obtained from data breaches use automation to try hundreds of login combinations in minutes.

Both recent rounds of attacks were deployed through and made possible by anonymizing services, notably TOR. “Millions of the requests were also routed through a variety of residential proxies,” says Okta’s post. Residential proxies route IP data and authentication requests through a network of legitimate user devices, such as smartphones or routers, to anonymize them. Some users are aware their devices are being used as proxies, but others have had malware enroll devices in proxy networks without their knowing.

Okta says users should keep defense software up to date. “The unprecedented scale of these attacks has provided clear insights into the controls most effective against credential stuffing.

ThreatInsight, Okta’s built-in control against high volume attacks, blocks requests from IPs involved in large scale credential based attacks prior to authentication.”

In its recommendations, it encourages customers to embrace passwordless, require Okta FastPass and FIDO2 WebAuthn, and support passkeys as a preferred sign-in method.

Cisco’s parent company, Duo Security, recently migrated its membership in the FIDO Alliance to Cisco and joined the FIDO board. Cisco has been reorienting its security strategy around identity and AI to strengthen its defensive posture.

Industries across the board are following suit, with the auto industry showing particular enthusiasm for passwordless authentication. Data breaches keep happening, and fraudsters are getting better at using increasingly advanced tools. Passwords have hung on for longer than some expected. But if the current wave of credential stuffing attacks keeps swelling, expect password-based authentication to be subsumed soon enough.

Technical details on the attack can be found at the bottom of Okta’s post.

Related Posts

Article Topics

 |   |   |   | 

Latest Biometrics News

 

Identity verification scale and maturity to push average cost down

The costs that relying parties pay for digital identity verification, from collecting and analyzing selfie biometrics to ID document authenticity…

 

How the ID industry can become more sustainable – and help to raise awareness for greener travel

By Tobias Nuessle, COO of Veridos The travel and tourism industry is a significant contributor to global CO2 emissions. Various…

 

Biometrics upgrades arriving at borders (but check the schedule for updates)

New biometric technology is coming to borders in Europe and the UK, but as reflected in several of Biometric Update’s…

 

What is the killer app for verifiable credentials? Daon, Dock and Youverse discuss

Industries such as financial services, healthcare, transport, government and more are increasingly adopting digital verifiable credentials connected to biometrics. Their…

 

Veteran biometrics leaders join FaceTec, Credence, ID.me adds ex-Meta exec

The latest round of appointments in the biometrics and identity management sector includes a former leader of federal government sales…

 

EU announces phased approach for EES

The European Union has proposed a progressive introduction of its biometric traveler registration scheme, the Entry-Exit System (EES). On Wednesday,…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events