By Chuck Brooks
Traditionally, strong passwords have been a first-tier defense against cyber-attacks and breaches. However, with the development of AI and ML tools, the effectiveness of cyber-defense has been thoroughly diminished, especially from more sophisticated cyber actors who use AI/ML tools to circumvent password defenses. Despite the drawbacks of passwords, cyber decision-makers (CTOs, CISOs, etc.) have been hesitant to abandon them. But an innovative passwordless solution is available that can facilitate that change from passwords and enhance security strategies. It’s Netlok’s Photolok, a passwordless IdP, which employs images in place of passwords and uses OAuth for authentication and Open ID Connect for integration.
Photolok is user-friendly and provides enhanced security not available with other solutions. Photolok’s randomization of photos mediates AI/ML attacks because they cannot identify and/or learn any patterns and, therefore, prevents AI/ML breaches. The proprietary photos are used to hide attack points from nefarious actors, streamline the login process, and make point-and-click navigation easy to use.
With Photolok, bots are unable to recognize which photographs to attack. Any automated attack is substantially neutralized by the randomization of photo localizations. Moreover, the digital information hidden behind the images—which can be updated every time a login attempt is made—won’t be gathered by the bots. Any automated bot attempt to get access will certainly fail and result in the user’s account being instantly locked out.
Photolok makes the identity authentication journey easier for humans to manage. The photos are easy to remember, connect with people, and provide privacy protection. Photolok’s simplicity makes it intuitive and removes language and literacy barriers that make passwords difficult to operate. Getting rid of passwords also eliminates the costly process of password resetting and following password rules, which makes Photolok very cost-effective. To change and/or add new photos, users select and label a photo that are automatically saved in seconds.
Photolok IdP is an identity provider and an authentication server with Open ID Connect making it easier to integrate apps and APIs. With Photolok, users upload pictures from Photolok’s custom library to be used as identifiers. To authenticate their identity, the user just uploads, labels, and chooses security photos from Photolok’s custom library.
Photolok IdP can be used as a standalone MFA alternative. The availability of robust authentication techniques like multi-factor authentication (MFA) can greatly lower the risk of data loss or compromise and is one of the main benefits of adopting an identity provider (IdP). Photolok MFA IdP can confirm the user’s identity, making it more difficult for malicious parties to access private information without authorization.
Deploying single sign-on (SSO) technology also simplifies the user experience, which is another advantage of adopting an identity provider like Photolok. When used with a federator like Okta Workforce, users won’t need to remember numerous passwords, usernames, or backup authentication techniques, which lowers the total quantity of data that a business’s system must constantly monitor. For example, Netlok uses Photolok to login to its Okta Workforce account to immediately access a wide pool of apps and APIs.
Photolok is the first IdP to offer situational security protection in the public environments or even in unprotected remote work. The Photolok account owner can 1) Give permission for the device and browser to be used for Photolok identity and authentication entry, 2) Utilize the “Duress” photo to trigger an automated warning informing the IT that the account owner is having problems or that a malicious actor is forcing them to access their device, 3) Utilize the “One-Time Use” photo to stop shoulder surfing, and 4) Give permission for the alert message to be sent each time the user opens their account. Photolok is a major innovative development in digital security systems, particularly in its capabilities to mitigate AI generated threats. Photolok effectively removes a great deal of the shortcomings in the current security paradigm. More significantly, Photolok blocks horizontal penetrations and defends against external threats, such as ransomware, phishing, keylogging, shoulder surfing, and man-in-the-middle assaults. In effect, Photolok lessens the user’s burden while improving online digital security, which is essential for widespread adoption by both businesses and consumers.
CyberheistNews Vol 13 #05 | January 31st, 2023
Cybersecurity Ventures released a new report that claims cybercrime is going to cost the world $8 trillion in 2023. If it were measured as a country, then cybercrime would be the world’s third largest economy after the U.S. and China.
The number sounds outlandish, but they stated: “We expect global cybercrime damage costs to grow by 15 percent per year over the next three years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.
“Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.”
The 2022 Official Cybercrime Report published by Cybersecurity Ventures and sponsored by eSentire, provides cyber economic facts, figures, predictions and statistics which convey the magnitude of the cyber threat we are up against, and market data to help understand what can be done about it.
Link to the article where you can download the report and see the VIDEO:
https://cybersecurityventures.com/cybercrime-to-cost-the-world-8-trillion-annually-in-2023/
Source: Paul Sigismondi, Ph.D., is a research physicist and educator. He has a B.S. in Physics from the University of California at Berkeley and a Ph.D. in Physics from the University of North Carolina at Chapel Hill. His research interests include theoretical astrophysics and quantum field theory.
Security from intruders is an ancient quandary and the internet has created new challenges. The purpose of this evaluation is to explore a digital identity and authentication solution called PhotolokÒ that addresses the security problem caused by the digital transformation that has invaded our daily lives. Since the digital world is still evolving, it’s helpful to begin with a review of security solutions because we still use century-old methods that will be replaced someday with digital solutions like Photolok.
A functional security system must allow quick, easy, and convenient entry to those with permission, but must make invasion by an unwanted intruder a highly unlikely occurrence. Ancient security arrangements typically involved gates, walls, watchtowers, moats, and armed personnel. In these arrangements, the main objective, which is still operative in modern systems, was to make invasion a taxing and dangerous enterprise for the intruder. Like today, robust and effective security required manpower and maintenance. Furthermore, the administrators had to acquire an awareness of the ever changing techniques that clever intruders were attempting in order to subvert the security systems in place.
The lock and key, which likely existed in rudimentary forms in ancient Egypt, provided localized security for people’s homes, safes, and the like. The advent of the combination lock eliminated the necessity of transporting keys and required merely recall of a numerical code to secure entry. Like the modern password system used for cybersecurity, these systems had their drawbacks.
From the standpoint of user convenience, what happens if the user loses his or her keys or forgets the combination? Spare sets of keys, pieces of paper with combinations written on them, keys placed under mats, and unlocked back doors and windows litter the praxis of those trying to prevent lockouts, while securing their property traditionally. They also create more possibilities for unwanted intruders to gain access to the keys or the combination. Since the user was not always able to access spare keys or a place where the combination is stored, the security system had to be penetrable without keys or the correct combination to be practicable. And, if a locksmith can pick a lock or crack a safe, then someone with nefarious intentions could certainly learn to do the same.
A combination lock has 59,280 distinct codes. There are less than 100,000 distinct lock and key combinations for a typical home door. If an 8-letter password is assigned at random to logon to an internet account, there are nearly 209 billion distinct possibilities for that password. In practice, a randomly assigned password is extremely difficult to remember. So instead, users are generally allowed to choose their own password
People tend to choose memorable passwords composed of common words and pass phrases. This significantly reduces the number of passwords practically in use. Zipf’s law, a well-known rule of thumb in statistics, states that the frequency of a given event within a distribution is inversely related to the rank of that event amongst the most highly ranked members of that distribution. Practically speaking, this means many people will choose the most common passwords in use. For example, in 2021, an estimated 2.5 million users adopted the most common password, “123456”, Nearly a million users chose “123456789”, and a little over 300,000 users chose “password”.
Zipf’s law has the effect of concentrating a population into the highly ranked events within that population. In fact, fitting the data for the top 7 passwords yields a frequency that is inversely proportional to the rank to 1.3 power. If this relationship were to hold consistently, then 50% of the passwords in use would be one of the top 7 most common passwords. This phenomenon gives internet intruders (bots and cyber hackers) a distinct advantage. (A ‘bot’ – short for robot – is a software program that performs automated, repetitive, pre-defined tasks. Bots typically imitate or replace human user behavior. Because they are automated, bots operate much faster than human users.)
Given that a modern intruder is often an automated bot that can make billions of attempts with the most common passwords on multiple targets each second, traditional passwords are vulnerable to statistical attack. Even, if a user is astute enough to choose a more secure password, there are other methods that bots can try in order to penetrate password secured systems, which include phishing, ransomware, malware, insider threats, and distributed denial of service attacks, to name a few.
reCAPTCHA is a common solution to prevent BOT attacks. After the user has successfully entered their username and password, they are prompted to prove they are a human either properly identifying distorted text or by identifying images with similar content. At this point, every hacker has seen the limited suite of images used in the reCAPTCHA algorithm and can use this information to their advantage. In addition, off the shelf software can now crack the reCAPTCHA algorithm 70% of the time.
The rapid advancement and efficacy of techniques currently employed by cyber hackers necessitate more robust security systems. Traditional password secured systems are also vulnerable to non-statistical attacks (phishing, ransomware, and man in the middle attacks, etc.) and to statistical attack, especially when sufficient latitude is given to the user in choosing a password. Photolok is a system that is nearly impervious to non-statistical attack and has an incredibly low probability of statistical attacks, comparable to truly randomly assigned passwords. At the same time, it is far more convenient to the user in terms of recall than a randomly assigned password that the user did not participate in choosing.
Photolok is a novel concept that employs proprietary-coded photos as the key to entry. The system can either assign the user photos or allow the user to choose photos from a proprietary library of photos that currently number over 6400. At login, the user is prompted for an email address. As an added security feature, there is an option that requires the user to input an access code that is emailed or texted to them after they have entered their email address. Subsequently, the user must locate one of their account photos, which appears randomly amid a panel of photos.
The Photolok identity and authentication system can be customized to allow the user to choose up to 5 photos as well as label special security photos for 1-Time Use and Duress. This identity and authentication system is highly secure and easy to use given that the photos are easily recalled and must be spotted by a human. More importantly, Photolok also protects against most external attacks, including keylogging, shoulder surfing, phishing, ransomware, and man-in-the-middle attacks while preventing horizontal penetrations.
This leaves a statistical attack as the only viable means of penetrating the Photolok system. However, this is highly unlikely. The number of possible combinations formed by choosing a minimum 3 photos from a library of 6400 is nearly 44 billion, which is about 5.5 times the total population of the world. The number of people fully employed in the US is about 132 million. If every one of those workers participated in choosing 3 photos out of 6400, the probability that there would be at least one duplicate set of photos in that large sample is 0.32%. Even if the entire world’s population were given this task, the likelihood of at least one duplicate set of photos occurring within the choices is still only 17%. Therefore, penetration of the Photolok system is nearly impossible.
Furthermore, the above analysis overestimates the probability of breakthrough. There is no limit to complexity of the Photolok system. Photos can be added to the library. Administrators can also ask the users to choose more photos. As stated above, the choice of 3 photos is a minimum. In many cases, users will want to use 4 photos with nearly 69 trillion photo combinations. With the ability to change a few operational variables, security can be further enhanced in a flexible manner with no extra burden to the user – e.g., increasing the size of the proprietary photo library.
As opposed to passwords, bots can’t identify the photos to target. The randomization of photo localizations effectively neutralizes any automated attack. Furthermore, the bots won’t be able to collect the digital data behind the photos, which may change each time a login attempt occurs. With almost 100% certainty, any attempt at penetration by automated bot will result in failure and automatically locks the user’s account.
In conclusion, Photolok represents a significant and promising evolution in digital security systems. It seamlessly eliminates many of the flaws inherent in the present security paradigm. Most importantly, it enhances online digital security, while simultaneously reducing the burden on the user, which is critical for mass adoption.
Note: to learn more about Netlok’s Photolok logon solution, click www.netlok.com.
Frustrating for both users and administrators, password management can be a challenge to manage in any organization. One lost or stolen password may be the crack in your organization’s foundation, allowing an attacker to slip in.
Conventional password recommendations have held that regular changes and lengthy and complex passwords would keep attackers at bay. Many guidelines have been published, but in recent years, conventional wisdom has been changing.
One such guideline, initially published in 2017 but updated in 2020, is the NIST Password Guideline Standards (NIST Special Publication 800-63 Revision 3). A significant change included the removal of the prior recommendation for regular password changes.
Despite NIST recommendations to not regularly rotate a user’s passwords, this does not mean there are still no valid reasons to use password resets. Below are some pros and cons of when password resets make sense and where they may fall short.
| Pros | Cons |
|---|---|
| Regular password resets mean a stolen password is suitable for a limited time. | A user is more likely to use a typical password pattern leading to insecure passwords. |
| When a breached password is found, forcing a password reset ensures users do not continue to use insecure passwords. | An organization can avoid future resets by checking for breached passwords on a password change. |
| Lost devices should necessitate a password change to ensure that a cached password is not used. | Multi-factor verification makes a lost device more a nuisance than a security issue, especially with encrypted devices. |
With all of these potential scenarios, how do password resets schedule or unscheduled cause real economic and productivity damage?
Many users dread a password reset. There is always a cost, whether it is due to a procedure or a problem. Imagine the scenario where a user is about to start the workday but needs to rotate their password due to company policy. This is not uncommon, as many users wait until the last minute for a password change, leading to locked-out accounts and longer-than-expected password resets tickets.
In studies, the Gartner Group found that between 20% and 50% of all help desk calls are for password resets. Not only that, each password reset can typically take between 2-30 minutes for a fix. The time and cost savings that a helpdesk could realize with a decrease in password resets means an increased focus on the more complex problems.
The increased interconnectivity of systems often compounds these time commitments. For an authentication system like Active Directory, a password reset would mean that the user account password change must be replicated to all connected Domain Controllers (DC).
With more remote workers, this may mean that the DCs are geographically spread out, leading to longer replication times. Adding additional subsystems in the mix, some even with manual synchronization, can compound the problem even more!
Any user facing the prospect of 30 minutes or longer time to resolution for a password reset will do whatever they can to avoid that. How might users avoid password reset issues? Instead of choosing a strong password, they may opt for one easily remembered, such as a repeating pattern. Or, they may write down the password, often leaving it in an insecure location.
What happens when a user misses the window to reset their password or forgets the latest password because of how many recent changes there have been? Not only does the user need to reach out to the already overworked helpdesk, but they are stuck waiting for a resolution rather than working in the meantime.
Plus, when a user is locked out, the password reset takes priority over other vital tasks since that user can no longer work. Any organization’s priority would be to get that individual productive once again. Thus, a password reset necessarily diverts a helpdesk’s attention.
As recent years and studies have shown, the move to more remote work is not lessening. 58% of Americans reported having the opportunity to work from home at least one day a week. A potential benefit is more flexible work hours.
There are many benefits to flexible working hours, both for employees and employers, but this also means that when a password reset is required, it may be outside helpdesk hours. Without assistance, the employee is stuck until the next day, potentially leading to even more productivity loss.
Moreover, passwords can be an expensive burden for organizations of all sizes. Forrester Research states that the average help desk labor cost for a single password reset is about $70. This does not consider the lost productivity for a user, compounded by the many password resets done in a given year.
According to a Yubico-sponsored report the average user spent 10.9 hours a year on password resets, leading to an average loss of $5.2 million a year in productivity for a 15,000-user organization (based on a $32-an-hour average). The Yubico report focused on the end-user, but that’s not only where the time investment lay.
For IT helpdesks, a Onelogin study found that over 37% of companies spent more than 6 hours a week on password resets. That is time a helpdesk employee could be focused on other more critical tasks, or even lead to an organization needing fewer helpdesk employees overall!
With all of these challenges, what can an organization do to lessen the impact of password resets? One step would be to implement the latest NIST guidelines and do away with regular password resets. But, a user will inevitably forget a password, or an unrelated breach may also lead to a compromise.
The best way for an organization to save time, money, and productivity is to empower the users with a self-serve password reset solution. Specops uReset offers a variety of features to allow users to reset their passwords without the need for a time-consuming and potentially expensive IT helpdesk call.
Password resets, while a necessity in some cases, are highly capable of self-service with a lessened impact on the helpdesk and an organization’s bottom line. Luckily, you can test out Specops uReset in your Active Directory to experience a secure self-service password reset solution.
Sponsored and written by Specops Software
Member – Insider GovTech
FOLLOW US ON SOCIAL MEDIA
©2015-2025 Netlok. All rights reserved.