Data Breach report dishes recommendations for authentication changes

Data Breach report dishes recommendations for authentication changes

Summary: Writing's on the wall for single-factor, password-based authentication on the Internet, Verizon report says.

TOPICS: Security

For enterprises building a large part of their authentication strategy on passwords, this year's Verizon Data Breach Investigations Report has a clear message: Cut it out!

For those exploring multi-factor and other authentication alternatives - the message also is straightforward, bravo!

Weak and stolen passwords are the foundation for two out of every three breaches, and there were 1,367 breaches cited by the DBIR this year. That works out to 912 breaches involving stolen credentials, a number that points at the need for alternatives like the current trend toward two-factor and multi-factor authentication.

The report was clear on the future of passwords, especially as it relates to today's cloud computing. 

"The writing’s on the wall for single-factor, password-based authentication on anything Internet-facing," the report concluded. The DBIR report went on to make specific recommendations to enterprises and service providers, "Even though it may draw you out of a known comfort zone, if you’re defending a web application seek out alternatives to this method (passwords) of identity verification. If you’re a vendor in the web application space, also consider mandating alternative authentication mechanism for your customers."

The report tagged Web applications the "proverbial punching bag of the Internet," pointing out they are most often compromised by exploiting a weakness in the application or by using stolen credentials to impersonate a valid user.

 Breach count by data variety over time
Breach count by data variety over time

"Authentication credentials are useful in both the criminal underground and the shadowy world of the clandestine, and that demand is reflected here (see chart at right)," the report stated.

The report showed that Web application hacks have been trending upward over the past two-and-a-half years while attacks on point-of-sale terminals (despite recent publicized hacks re: Target) have actually been on the decline.

On the consumer side, the report said data shows that "passwords, usernames, emails, credit/debit card and financial account information, and Social Security Numbers are being compromised at a staggering rate, endangering the identities of consumers nationwide."

The recommendation to consumers is to "develop strong passwords. Don’t be like the millions of others who use “12345678” or “password.” Even when hashed, these passwords can easily be deciphered by data thieves."

Here were other recommendations made in the DBIR report:

Point-of-Sale terminals:

  • Make absolutely sure all passwords used for remote access to POS systems are not factory defaults, the name of the POS vendor, dictionary words, or otherwise weak.  If a third party handles this, require (and verify) that this is done, and that they do not use the same password for other customers.
  • Use two-factor authentication: Stronger passwords would cut out a huge chunk of the problem, but larger organizations should also consider multiple factors to authenticate third-party and internal users.

CrimeWare: (defined as incidents involving malware of varied types and purposes)

  • Use two-factor authentication. Our results link CrimeWare to stolen credentials more often than any other type of data. This points to the key role of CrimeWare when the attack objective is to gain access to user accounts. Two-factor authentication won’t prevent the theft of credentials, but it will go a long way toward preventing the fraudulent re-use of those credentials.


  • Stop lateral movement inside the network. After gaining access, attackers will begin compromising systems across your network. Two-factor authentication will help contain the widespread and unchallenged re-use of user accounts.

(Look here for a risk grid by industry that was published in DBIR).

Topic: Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Two- (Multi-) Factor Authentication is nice, but it must be affordable

    How about those people on a fixed income that neither want nor can afford a smartphone for text messaging? A lot of us use a simple flip phone on which we recharge the minutes only as needed. Paying for internet access at home should be enough to get us secure communication with our bank.
    • Bingo

      Any site which requires two-factor authentication, will become a site I now longer use. It's annoying enough, should be secure enough, to use passwords. Two-factor means that instead of it taking about a minute to get in a site, it will take 10 or more. For what if you're out of range on the cell, but not for internet? Only if you're ACCESSING the internet via your cell, will it be efficient.

      Nor is two-factor more secure. It too can be hacked now in TWO ways, the second via phone number randomly sought (easier to do, too).

      FIX THE FIRST, and you won't need the second.
      • ?

        If you're suggesting the NSA can hack your phone as easily as your Internet, okay.

        However, if you're suggesting a Ukrainian hacker will be able to tap text messages to your phone line, you're wrong.

        Several two-factor authentication services offer voice messaging (as a substitute for text messaging). I expect this to become typical.

        We all wish authentication were easy, but with current technology, we can either use two-factor or be less secure. As the article mentions, for most web services, after you authenticate your machine once, subsequent sessions require only a password.
  • I haven't got a mobile.

    I use internet over landline.
    I make phone calls over that same landline.
    All connectivity is conveniently located in my house.