In this year’s Cybersecurity Predictions, WatchGuard updates you on the top security-related headlines that we could see in 2022.
It’s official. Windows has gone password-less! While we celebrate the move away from passwords alone for digital validation, we also believe the continued current focus of single-factor authentication for Windows logins simply repeats the mistakes from history. Windows 10 and 11 will now allow you to set up completely password-less authentication, using options like Hello (Microsoft’s biometrics), a Fido hardware token, or an email with a one-time password (OTP).
Though we commend Microsoft for making this bold move, we believe all single-factor authentication mechanisms are the wrong choice and repeat password mistakes of old. Biometrics are not a magic pill that’s impossible to defeat – in fact, researchers and attackers have repeatedly defeated various biometric mechanisms. Sure, the technology is getting better, but attack techniques evolve too (especially in a world of social media, photogrammetry and 3D printing). In general, hardware tokens are strong single factor option too, but the RSA breach proved that they are not undefeatable either. And frankly, clear text emails with an OTP are simply a bad idea.
The only strong solution to digital identify validation is multi-factor authentication (MFA). In our opinion, Microsoft (and others) could have truly solved this problem by making MFA mandatory and easy in Windows. You can still use Hello as one easy factor of authentication, but organizations should force users to pair it with another, like a push approval to your mobile phone that’s sent over an encrypted channel (no text or clear email).
Our prediction is that Windows password-less authentication will take off in 2022, but we expect hackers and researcher to find ways to bypass it, proving we didn’t learn from the lessons of the past.
Text-based phishing, known as SMSishing, has increased steadily over the years. Like email social engineering, it started with untargeted lure messages being spammed to large groups of users, but lately has evolved into more targeted texts that masquerade as messages from someone you know, including perhaps your boss.
In parallel, the platforms we prefer for short text messages have evolved as well. Users, especially professionals, have realized the insecurity of cleartext SMS messages thanks to NIST, various carrier breaches, and knowledge of weaknesses in carrier standards like Signaling System 7 (SS7). This has caused many to move their business text messages to alternate apps like WhatsApp, Facebook Messenger, and even Teams or Slack.
Where legitimate users go, malicious cybercriminals follow. As a result, we are starting to see an increase in reports of malicious spear SMSishing-like messages to messenger platforms like WhatsApp. Have you received a WhatsApp message from your CEO asking you to help him set up an account for a project he’s working on? Maybe you should call or contact your boss through some other communication medium to verify it’s really that person!
In short, we expect to see targeted phishing messages over many messaging platforms to double in 2022.
4th Platform offer you the best IT advice. Discuss the best Hardware and Software solution for your business.
Find out more