SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Mitigating AI security risks with phishing-resistant MFA

Thu, 8th Jun 2023
FYI, this story is more than a year old

As businesses continue learning of the benefits that Artificial Intelligence (AI) tools provide, we continue to see rapid interest and adoption of the technology, especially within the enterprise. Most of the hype today revolves around ChatGPT, but AI is being integrated into search engines and mainstream IT applications to augment existing capabilities and to improve productivity.

AI is here to stay, and the hardware that powers it will improve over time. It's undeniable that AI brings many benefits to our daily lives, but nothing prevents bad actors from leveraging AI for malicious purposes, such as cracking passwords to steal data to be used for phishing attacks. While ChatGPT may not yet have produced any convincing spear phishing outputs, it could be used to improve base-level quality grammar and data accuracy issues with most phishing campaigns.

A concerning revelation is that an AI tool was recently able to crack the majority (51%) of common passwords in a recent test carried out by the cybersecurity company Home Security Heroes by decrypting a defunct database of approximately 15,680,000 real passwords. As their utility grows, the real threat is that these new AI tools may open the door to reducing the cost and complexity of mounting certain computer-based attacks.

Too much reliance on usernames and passwords

According to Yubicos' new market intelligence report, conducted by S&P Global Market Intelligence, 59% of enterprises reported experiencing a data breach last year, and 91% still rely on usernames and passwords as their main form of authentication.

It is clear that advances in AI technology are making it even easier for hackers to crack passwords, and this is leading to an increase in cybersecurity breaches.

The frequency of data breaches is rising at an alarming rate, and a number of major Australian companies have fallen victim to customer data, including usernames and passwords, being stolen recently.AI has made it much easier and faster for cybercriminals, and with security breaches mounting, now is the time to move on from legacy authentication methods such as usernames and passwords toward phishing-resistant multi-factor authentication (MFA) solutions like security keys.

Password generators failed with AI

During a recent test of passwords by Home Security Heroes, passwords of less than four characters and those with more than 18 were ignored by the AI. However, a majority of the remaining passwords were revealed in under 60 seconds.

Some of the longer, more complex passwords, like the ones developed by password generators with upper and lower case letters as well as numbers and special characters, took more time for the AI to crack. But within a month, 81% of the passwords had been deciphered by the AI. This is a major concern for the majority of users still relying on passwords, even if they are long and complex.

The solution is phishing-resistant MFA

As the adoption of AI tools continues to grow, it will be important to focus on the key ways to circumvent the associated risks. This underlines the importance of strong phishing-resistant MFA and identity-based security methods.

When the efficacy of identity measures that companies have trusted for decades, such as voice verification and video verification, becomes less secure, strongly linked electronic identity is critical to stay secure from sophisticated attacks like phishing. Credentials that are hardware bound and purpose-built around cryptographic principles excel in these scenarios, such as FIDO2 hardware security keys like the YubiKey.

Why FIDO2 security keys?

Collectively, Yubico and other major tech vendors like Google, Apple and Microsoft in the FIDO Alliance (Fast Identity Online) have been aiming to eliminate passwords completely. The use of alternative, modern authentication methods like passkeys and security keys based on the FIDO protocol, are phishing-resistant and cannot be circumvented by AI.

FIDO2 security keys are phishing-resistant because credentials are tied to a specific relying party, preventing attackers from preying on human inability to spot a 0 (zero) versus an O (capital o) in a nefarious website URL. Credentials are securely stored in the key, which prevents those credentials from being transferred to another system without the user's knowledge or by accident. Using FIDO2 authenticators also greatly reduces the efficacy of social engineering through phishing, as users cannot be tricked into vending a one-time password to an attacker or have SMS authentication codes stolen directly through a SIM swapping attack.

Tackling AI with a phishing-resistant future

While the benefits of AI are undeniable, it is crucial to address the security risks associated with its widespread adoption. As AI technology advances, it becomes easier for hackers to crack passwords and exploit vulnerabilities, leading to an alarming increase in data breaches.

To combat these escalating security threats, it is essential to move away from legacy authentication methods, and a strong focus should be placed on phishing-resistant MFA. This will offer a robust defence against AI-powered password-cracking techniques and significantly enhance cybersecurity defences to ensure organisations can safeguard their sensitive data and protect against malicious activities. Embracing technologies like FIDO2 security keys represents a proactive approach to mitigating the risks associated with AI and ensuring the continued trust and integrity of our digital systems.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X