Attacks on Authentication
We will categorize attacks on authentication based on the three types of authentication methods discussed in the previous section.
Attacking Knowledge-based Authentication
Knowledge-based authentication is prevalent and comparatively easy to attack. As such, we will mainly focus on knowledge-based authentication in this module. This authentication method suffers from reliance on static personal information that can be potentially obtained, guessed, or brute-forced. As cyber threats evolve, attackers have become adept at exploiting weaknesses in knowledge-based authentication systems through various means, including social engineering and data breaches.
Attacking Ownership-based Authentication
One significant advantage of ownership-based authentication is its resistance to many common cyber threats, including phishing and password-guessing attacks. Authentication methods based on physical possession, such as hardware tokens or smart cards, are inherently more secure because physical items are more difficult for attackers to acquire or replicate compared to information that can be phished, guessed, or obtained through data breaches. However, challenges such as the cost and logistics of distributing and managing physical tokens or devices can sometimes limit the widespread adoption of ownership-based authentication, particularly in large-scale deployments.
Furthermore, systems using ownership-based authentication can be vulnerable to physical attacks, such as theft or cloning of the object, as well as cryptographic attacks on the algorithm it employs. For instance, cloning objects such as NFC badges in public places, like public transportation or cafés, is a feasible attack vector.
Attacking Inherence-based Authentication
Inherence-based authentication provides convenience and user-friendliness. Users don't need to remember complex passwords or carry physical tokens; they simply provide biometric data, such as a fingerprint or facial scan, to gain access. This streamlined authentication process enhances user experience and reduces the likelihood of security breaches resulting from weak passwords or stolen tokens. However, inherence-based authentication systems must address concerns regarding privacy, data security, and potential biases in biometric recognition algorithms to ensure widespread adoption and trust among users.
On the other hand, inherence-based authentication systems can be irreversibly compromised in the event of a data breach. This is because users cannot change their biometric features, such as fingerprints. For instance, in 2019, threat actors breached a company that builds biometric smart locks, which are managed via a mobile or web application, to identify authorized users using their fingerprints and facial patterns. The breach exposed all fingerprints and facial patterns, in addition to usernames and passwords, grants, and the addresses of registered users. While affected users could have easily changed their passwords to mitigate this data breach if the smart locks had used knowledge-based authentication, this was not possible since they utilized inherence-based authentication.