Lapsus$, MGM Resorts attacks further calls for password-free future

Imagine saying goodbye to recovery links—no longer having to try (and fail) to recall what street your mother grew up on.

This is the future some industry groups and government agencies envision as massive incidents, like the high-profile Lapsus$ leaks or the more recent MGM Resorts attack, highlight an important security trend: Moving away from passwords completely.

According to FIDO Alliance Executive Director Andrew Shikiar, ditching passwords is the natural progression toward heeding the Cyber Safety Review Board’s (CSRB) advice in a July report, which recommended organizations “urgently” move away from voice and text-based two-factor authentication methods.

The CSRB found that such methods, which were originally meant to beef up human-readable text strings, are now too easy for bad actors to impersonate or otherwise work around. The agency suggested “moving beyond use of text-based strings for authentication” to built-in tokens, technologies like passkeys, and secure API standards like WebAuthn.

Shikiar said he sees a “turning point” as tech titans from Amazon to Google rally around these more secure solutions that typically associate a user’s identity with their device and rely on the public and private exchange of cryptographic keys—methods championed by FIDO, a passwordless authentication industry association.

“Everyone’s talking about the same thing and talking about the same basic way of enabling passwordless at massive scale,” he told IT Brew. “Everyone understands that passwords are not just a minor nuisance for us to try to remember, but they also present a major security risk.”

In the case of Lapsus$, the group allegedly driven by teenage hackers infiltrated companies like Microsoft, Samsung, Nvidia, and Okta by targeting key employees with incessant multi-factor authentication requests. In the still-ongoing MGM debacle, a hacker convinced an IT help desk employee to grant them systems access.

In both cases, the common thread was hackers who gamed the password system to secure employee-held secrets. “If there’s no password to guess, if there’s no password to steal, ultimately you’ve removed a weak link in the system,” Fran Rosch, CEO of digital identity platform ForgeRock, told us.

Alternatives like phishing-resistant authentication platforms can serve a dual purpose: assuring both large enterprises and individuals that they’re being protected during a passwordless sign-on process, Arnab Bose, chief product officer of workforce identity cloud at Okta, told IT Brew. His company backstops login attempts with checks to ensure the device belongs to a real person and is managed by the credentialed organization, while also verifying that the user is accessing a legitimate platform.

“It’s leveraging biometrics to determine user presence. And it is also doing what is called a domain check to ensure that the website you’re signing into is actually the website you think you’re signing into,” Bose said.

Notably, the Lapsus$ threat infiltrated some Okta customers via an Okta contractor. However, Shikiar pointed out that Okta customers who used FIDO-approved passwordless authentication methods escaped the 2022 0ktapus phishing attacks that targeted the platform’s users.

“The landscape has dramatically changed,” Bose said of the need to eschew traditional passwords. “The world that we are designing for…we call ‘beyond MFA,’ beyond multi-factor authentication.”

While the passwordless trend clearly carries security benefits, it doesn’t necessarily mean more work for everyday users. Bose said that device-based authentication relies on tech that’s already built into devices and that customers are likely already comfortable with using, like Apple’s Face ID and Microsoft’s Windows Hello. User-friendly password management services are evolving too, to wrangle passkeys as well as passwords.