WatchGuard Blog

Why push notifications are the best way to protect passwords

Are passwords still the most common strategy for protecting accounts in organizations? This Pulse password security survey reveals that 38% of respondents use between 4 and 6 password-protected accounts on a daily basis and 49% admit that their IT teams resolve an average of 9 password-related issues every day. The majority acknowledge that this has been exacerbated by remote working during recent months due to the pandemic. What is surprising in these cases is that, although they are aware of these difficulties, only 38% provide annual training on password protection to their employees.  

Moreover, 91% find the additional layers of security frustrating for end users. It is not that they are unaware that tools such as password managers (32% say they use them) can help them, but they complain that users of these tools do not find them intuitive or easy to use, as they require them to authenticate manually to gain access. 

It is worrying that organizations know how important it is to protect their passwords, but for various reasons, such as difficulty of use for employees and users, they do not deploy as much security as they should. Even the most complex passwords can be captured by cyberattackers using trojan keyloggers or tools such as Mimikatz. Users tend to use no more than 2-5 different passwords and sometimes these common passwords are also known to other family members when sharing streaming subscriptions or other platforms. Frequently, there is also a risk that they can be captured through social engineering techniques such as phishing.  

Many credentials also end up on the dark web as a result of a data breach and those passwords remain exposed, and until the organization realizes security has been violated, these can be exploited with malicious intent. 

Given this situation, it is imperative that organizations implement multi-factor authentication (MFA) solutions. Passwordless multi-factor authentication solutions do exist, but they are not very flexible and are very specific to certain functions (e.g., logging on to the computer), so most websites and services do not support them yet. Moreover, those that do almost always need a supporting password, as is the case with banking apps that initially support biometrics with facial recognition on the cell phone but always require a support password as well.  

This is why the best solution, in most cases, is for organizations is to implement MFA solutions with push notifications. If a hacker obtains valid credentials and attempts to log in to the account, the legitimate user will receive a push notification (usually including reference data such as the geographic location of whoever tried to log in) requiring confirmation. If the user ignores or rejects it, access is blocked to the cyber threat actor. In addition, this solution also has another important benefit: legitimate users will be alerted to the fact that their password has been obtained without their permission or has been exposed on the dark web, enabling them to change it quickly. It’s also important to notice that user training is imperative for an MFA deployment. They should understand and acknowledge that they should always look at the push message before approving or denying it, avoiding happy clickers. 

For those using regular time-based OTPs, there is always the risk that the hacker will also manage to clone the mobile phone, using some RAT application, and creating a clone of the mobile token with its seed. For these cases, there is also an extra MFA protection functionality that not only verifies the phone number, but also checks whether the receiving device is the legitimate one, through an encryption/hash algorithm specifically linked to the hardware of the pre-registered device, as if it were mobile DNA. This greatly reduces the number 1 risk that makes organizations vulnerable to unauthorized access: their employees' credentials.