Compromised password reuse vulnerability happens when users use the same password for multiple websites. If any of these websites are hacked, all of this user’s accounts that use this same password are now vulnerable.
Mitigation: The primary way for websites to protect against this type of vulnerability is to offer 2-factor authentication. The weakness in this mitigation is that 2-factor authentication is inconvenient to the user, so they are reluctant to enable it if it’s optional, and resentful if it’s required.
Solution: Uthentic entirely eliminates the possibility of this vulnerability by eliminating passwords entirely. The user does not have a password to remember. Additionally, Uthentic stores an encrypted token on the user’s device so they don’t have to authenticate by email every time they access your site. This token is automatically renewed every 30 days if the user accesses your site within those 30 days.
Because of "password fatigue", users are more and more likely to use insecure passwords on websites. This opens their accounts up to brute force attacks. While the vast majority of websites protect adequately against brute force attacks against a single account - that is, given a single username or email address, the attacker tries millions of password combinations to hack into that specific user’s account - a broad brute force attack can be very effective on many websites today. A broad brute force attack is when the attacker uses a handful of very common passwords (such as 123456 and password) against a huge database of email addresses or usernames. Two factor authentication can mitigate weak password vulnerabilities, but must be forced upon the user. A user that has password fatigue is unlikely to go out of their way to enable 2FA, even if it’s easy to do so.
Mitigation: The most common and obvious mitigation of the weak passwords vulnerability is to make password requirements more complex. This is counter-productive, however, as it only increases the root cause of weak passwords in the first place - password fatigue.
Solution: Since Uthentic is passwordless, weak passwords aren’t a problem.
Phishing happens when an attacker sends an email to a user pretending to be your website. For example, an attacker might send an email from Bank of America, using an email format that looks identical to Bank of America’s, with a link that takes you to a domain similar to but not identical to BOA’s, with a website that looks identical to BOA’s. You are prompted to login. When you enter your username and password, the attacker saves that information, and redirects you to BOA’s website.
Mitigation: Banks often use a “security photo” or “security phrase” that they show to you after you enter your email address so that you can verify that it’s the bank you are logging into. But that’s the only mitigation for phishing attacks that we’ve seen on the web - and its effectiveness is dubious. It’s probably better than nothing, but a user that can’t spot a phishing email when they see it probably is not going to be wary when they don’t see a security photo/phrase either. 2-factor authentication CANNOT mitigate phishing attacks.
Solution: With Uthentic, you have to have actual access to your email account to log in. If an attacker sends a fake email pretending to be you or Uthentic, it doesn’t do anything. We embed special, short-lived, one-time codes in the emails we send, and there is no way for attackers to take advantage of these.
Keylogger malware is pretty straightforward. Software is installed on a user’s device, and that software records everything the user types. When the user types a username and password to log into a website, the attacker then has those credentials.
Mitigation: There are a few very niche and very cumbersome attempts to mitigate keyloggers. The US Treasury’s treasurydirect.gov website, for example, forces users to click an embedded virtual keyboard to enter their password. This is a ridiculous security measure that’s hugely counter-productive. It vastly increases password fatigue, and the end result is that users choose simpler passwords - opening them up to the significantly more common weak password vulnerability. 2-factor authentication can mitigate keyloggers, but is cumbersome for the user.
Solution: With Uthentic, there are no keys to log. An email address is typed, and can be exposed to the attacker, but the attacker still needs access to the email account itself. The security code that’s sent to a user can also be stolen, but that code is short lived, only usable once, and is attached only to the device the user is currently trying to log in from.
Email accounts are the gateway to every single website the user has ever signed up for. When a user’s email account is compromised, any password can be reset, giving access to every website on the web.
Mitigation: Largely, there is nothing that can be done to mitigate this kind of attack, unless you yourself are the email service provider. The vulnerability is that almost every website in existence allows you to reset your password through your email account. A small mitigation that some sites use is to ask the user to verify “security questions”. Everyone knows this is almost always a terrible experience for the user. Additionally, all security questions can be cracked via social engineering, and a huge number of answers to security questions are information that’s readily available through government records or social media. Even two-factor authentication is not an effective mitigation, as the attacker can simply reset the password to the user’s mobile phone provider’s account, order a new sim card, and steal the 2FA code (as well as other known SMS vulnerabilities).
Moving forward: Unfortunately, Uthentic falls flat here as well. Email accounts really are the keys to the kingdom. As a website owner, you are at the mercy of the user being proactive enough to have a complex, unique, memorized password to their email account. Uthentic does make this a much more likely prospect, though. The less passwords that a user has to remember, the more likely they are to have secure, unique passwords on the few websites that actually need them. The more websites that use Uthentic, the more secure the overall web will be.
When a user’s device is stolen, several major things happen:
Mitigation: The best that a website can do to protect against this vulnerability is allow the user to swiftly lock down and recover access to their account.
Solution: Uthentic was built for security first. We know there are a few unpreventable ways that account takeover can still happen - unauthorized physical access to a user’s device is the most glaring. We simply can’t prevent a user’s device from being stolen. We do, however, provide an excellent recovery option. At the bottom of every login email that a user gets from Uthentic is a link that says “My account was compromised”. A user who clicks that link will have ALL their sessions across ALL websites that use Uthentic instantly terminated. That’s access to dozens of websites all instantly secured with a single link click. The next time the user visits any of these websites, they will simply log in like normal, verify they have access to their email account, and be once again semi-permanently logged in on that device.
Mitigation: You'll need to constantly audit not only your own code for vulnerabilities, but you'll also need to monitor ALL third-party libraries for security vulnerabilities. Using NPM? This suddenly becomes a huge attack vector because any downstream package could open you up to XSS.
Solution: Uthentic stores an HTTP-only user-validation cookie that's tied to our domain. Scripts can't access these cookies within the browser context. Additionally, Uthentic uses no third party code at all, which means we can't be the victim of a downstream XSS attack.
SMS is inherently insecure at its core. Using SMS-based passwordless authentication or SMS-based two-factor authentication is better than nothing at all, but it’s far from secure.
Mitigation: Don't use SMS (text messages) as a passwordless authentication solution OR as two-factor authentication.
Solution: When building Uthentic, we actively chose to not use SMS because of these security vulnerabilities inherent in the system. We exclusively use email-based passwordless authentication, which provides the most secure and most convenient login experience in the world.