News
How Norton Lifelock password breach is playing into our passwordless future
January 2023 by Tim Callan, Chief Experience Officer at Sectigo
Stemming from the recent Norton LifeLock hack, which compromised
thousands of customer accounts, allowing hackers access to customer
password managers. Malicious actors used the ploy of credential stuffing
to steal data, in this case, but fundamental vulnerabilities will remain
so long as traditional username-password credentials control access.
Identity risks like these further increase the urgency for
“passwordless” authentication, which has become more enticing in
today’s technological society since Apple, Google, Microsoft and
Bitwarden are all implementing passwordless sign-in. Tim Callan,
Chief Experience Officer at Sectigo has insight on how breaches,
like the Norton Password Manager, will remain undefeated, unless
password vaults focus on strategies such as PKI-based access.
· Organizations are hesitant about shifting from password
tools to PKI-based technology and the responsibility of managing remote
and hybrid device authentication.
· Tim speaks to what the digital world means for passwordless
authentication and how it will motivate a smoother online experience for
users in a full statement below.
· Tune into a recent podcast of his focusing on MFA fatigue
for background here.
“Unfortunately, password manager breaches via credential-stuffing
attacks, which appears to be the cause of this breach, are all too
common when usernames and passwords are involved. This compromise is
largely enabled by access to previously exposed passwords used to hack
into numerous customer accounts, on the presumption that they employ the
same password for multiple services. No matter how vigilant a
company’s security culture is, these fundamental vulnerabilities will
remain so long as traditional username-password credentials control
access. To defeat this hacking technique, password vaults should focus
on strategies such as PKI-based access. In the shift to secure new
digital credentials and avoid breaches in these spaces, enterprises will
realize a passwordless digital world.
While “going passwordless,” has become a trendy term, with many
tech providers leaning into tools like one-time passwords and biometrics
to embody the term, true passwordless authentication does not use
any form of symmetrical shared secret or password anywhere in the authentication process. In 2023, anyone who has felt
burdened by absurd amounts of logins or worried about protecting
sensitive data will be motivated to support this shift to
passwordless__ authentication for smoother online experiences.”
Tim Callan, Chief Experience Officer at Sectigo
