Multi-Factor Authentication probably foiled or deterred many identity fraud attempts last year, but one report shows we cannot be complacent

In a report based on anonymized data from its global customer base in the first 90 days of 2022, Okta has announced its perspectives on last year’s customer identity and access management (CIAM) trends.

First, the firm observed almost 300m fraudulent account creation attempts in its customer ecosystem, accounting for about 23% of signup attempts, up from 15% in the same period in 2021. Energy/Utilities and Financial Services experienced the highest proportion of signup attacks, with such threats accounting for most of the registration attempts in those two industries.

Second, in the first 90 days of 2022, the firm’s retail/e-commerce, financial services and entertainment verticals users experienced record levels of credential stuffing attacks, comprising more than 80% of login activity. The platform detected almost 10bn credential stuffing events, representing some 34% of overall traffic or authentication events. In South-east Asia, which was buoyed by several large-scale attacks, credential stuffing accounted for the majority of identity events. The situation in Australia and New Zealand was more optimistic: normal traffic represented 63% of login events (63%), and only during a large attack did credential stuffing overtake legitimate traffic.

Thirdly, threat actors were targeting multi-factor authentication (MFA): In the Asia Pacific region, MFA bypass attacks were responsible for more events than signup attacks. As attackers become more sophisticated at targeting MFA, the firm recommends that MFA be implemented correctly and that strong secondary factors are also implemented.

Finally, the firm’s customer ecosystem data in the first 90 days of 2022 showed that the cyber threats facing any particular application or service vary enormously by geography, industry, and brand prominence, among other factors. Balanced against different organizations’ risk appetites and exposures, this means that security measures and the friction they incur to users will vary. According to the firm’s Senior Vice President and General Manager (Asia Pacific & Japan), Ben Goodman: “The first step towards implementing CIAM securely is to understand why and how adversaries are attacking these customer-oriented businesses. A reliable CIAM system could help businesses combat account-takeovers to protect consumers and businesses while boosting a seamless consumer experience.”

Three CIAM recommendations

The report, based on the data gleaned in the early months of 2022, recommends application and service providers to:

    1. Implement defence-in-depth tools that work in combination across the user, application, and network layers
    2. Continually monitor their applications for signs of attacks and changes in adversaries’ tactics, techniques and procedures
    3. Make adjustments (e.g., tune parameters, tighten restrictions, introduce new tools, etc.) as needed, and maintain a CIAM system that balances the quality of customer/user experience against system security

Goodman said identity security should be a board-level issue. This would allow workers to focus on innovation, collaboration, and productivity while reducing overall identity-related risk.

In the context of varying the approach in CIAM implementation, the report also highlighted that an agile, secure-by-design CIAM system permits a considerable amount of flexibility that allow organizations to tailor CIAM and continually tune as needed—without drawing in resources that could be put to better use in advancing core business competencies. Combining multiple security tools that can operate at different layers and form a unified defensive position—include implementing MFA; using generic failure messages that do not reveal system details; limiting failed login attempts; and implementing secure session management practices—are ways to stay cyber vigilant.