Niall McConachie, regional director (UK & Ireland) at Yubico, pictured, with answers to questions about mitigating AI security risks with phishing-resistant multi-factor authentication (MFA).
- Is there too much reliance on usernames and passwords?
“Legacy authentication methods such as usernames and passwords are becoming extremely outdated, especially with the increasing sophistication of artificial intelligence (AI). Bad actors have started to leverage AI for malicious purposes, such as cracking passwords to steal data for phishing attacks and data breaches. The frequency of breaches are rising at an alarming rate, demonstrating that there is too much reliance on usernames and passwords. Going forward, we can expect more organisations to move away from legacy authentication methods and embrace phishing-resistant multi-factor authentication (MFA) solutions such as security keys.”
- Can password generators fail with AI?
“In short, yes. Research from Home Security Heroes has found that AI can crack 51 percent of common passwords in less than a minute and 65 percent in less than an hour. Some of the more complex passwords developed by password generators with upper- and lower-case letters, numbers, and special characters, do take more time for the AI to crack. However, within a month, 81 percent of passwords can be deciphered by the AI, which is a huge concern for the majority of users still relying on passwords, even if they are long and complex.”
- What should organisations use instead?
“It is essential for business leaders to evaluate which security methods best prevent the associated risks of AI, such as strong phishing-resistant MFA and identity-based security methods. When identity measures that have been trusted for decades, such as voice and video verification, become less secure, strongly linked electronic identity is crucial when it comes to staying secure from sophisticated attacks such as phishing. Credentials that are hardware-bound and purpose-built around cryptographic principles excel in these scenarios, such as FIDO2 hardware security keys.”
- Why FIDO2 security keys?
“Major tech companies and members of the FIDO Alliance such as Google, Apple, and Microsoft have been aiming to eliminate passwords completely. The use of alternative, modern authentication methods such as passkeys and security keys based on the FIDO protocol, are phishing-resistant and cannot be circumvented by AI.
“FIDO2 security keys are phishing-resistant because credentials are tied to a specific relying party, preventing attackers from preying on the human inability to spot a 0 (zero) versus an O (capital o) in a nefarious website URL. Having the credentials securely stored in the key prevents them from being transferred to another system without the user’s knowledge or by accident. In addition, using FIDO2 authenticators greatly reduces the efficacy of social engineering via phishing, as users cannot be tricked into sending a one-time password to an attacker or have SMS authentication codes stolen directly by a SIM swapping attack.”
- How can we tackle AI with a phishing-resistant future?
“To achieve a phishing-resistant future, it is essential to move away from legacy authentication methods, and a strong focus should be placed on phishing-resistant MFA. This will offer a robust defence against AI-powered password-cracking techniques and significantly enhance cybersecurity defences. Essentially, organisations will be able to safeguard their sensitive data and protect against malicious activities. Embracing technologies such as FIDO2 security keys offers a proactive approach to mitigating the risks associated with AI and ensuring the continued trust and integrity of digital systems within an enterprise.”
