There has been an exponential rise of credential stuffing attacks – automated attempts to compromise a large number of user accounts with stolen credentials – on organisations, according to a new study.
The State of Secure Identity report by Auth0 shows that In the first 90 days of 2021, credential stuffing accounted for 16.5 percent of attempted login traffic on its platform, with a peak of more than 40 percent near the end of March. Auth0 says it detected and prevented the attacks.
Travel & leisure and retail are the top two industries most affected by credential stuffing attacks.
Elsewhere there was a rise in the number of fraudulent registrations. These vary by industry vertical, but roughly 15 percent of all attempts to register a new account can be attributed to bots.
In the first 90 days of 2021, the Auth0 platform detected breached passwords at an average of more than 26,600 per day.
“Securing customers’ identities is made more difficult by industry-wide failures to protect data. The prevalence of breached passwords and the availability of automated attack tools makes the humble password a protective measure from the past,” said Duncan Godfrey, VP of security engineering, Auth0.
Replacing passwords
At the same time, Auth0 has announced the launch of Auth0 WebAuthn Passwordless, an authentication feature that enables end-users to log in with a biometric identifier — such as facial recognition or a fingerprint — as an alternative to a traditional password.
The company notes that today’s abundance of applications and systems have never had more access points, leaving organisations and their end-users vulnerable to attacks.
“A reliance on passwords as a primary means of authentication, combined with users’ tendency to re-use passwords across applications, presents a number of security, user experience, and cost issues,” it said.
According to a 2021 Data Breach Investigations Report by Verizon, compromised passwords are responsible for 84 percent of breaches.
“Despite ongoing guidance around proper password creation and repeated warnings against password reuse, consumers crave convenience and continue to use the easiest and most convenient path for application access,” said Shiv Ramji, chief product officer at Auth0.
“A passwordless future is largely being driven by two primary forces — security and convenience. Companies want to secure the vulnerabilities that come with passwords, and they also want to offer their users a better digital experience.”
