HYPR | The Identity Assurance Company

We are thrilled to share the release of HYPR's fourth annual 2024 State of Passwordless Identity Assurance Report! Don't wait to dive into the latest trends shaping the identity security landscape. https://hubs.la/Q02xX_wC0 #cybersecurity #identitysecurity #passwordless

78% of organizations were targeted by identity-related attacks last year. How is your organization adapting its security strategy? Join Bojan Simic and Ryan Rowcliffe as they discuss how multi-factor verification combats modern threats by making identity verification an intrinsic part of daily access flows. #authentication #identityverification #identitysecurity

The attack on client accounts of cloud data giant Snowflake continues to have widespread impact. Today AT&T disclosed a massive data breach affecting approximately 110 million customers, involving call and text records. Like the data breaches announced by Ticketmaster and Santander, the data was stolen when cybercriminals exploited weak authentication practices on Snowflake accounts, allowing them to gain unauthorized access. Orchestrated by the group UNC5537, the attack exploited stolen credentials and inadequate security measures, highlighting the critical importance of robust identity and access management practices. While the stolen AT&T data did not include message content, it did include the phone numbers of both the AT&T customer and the party they were interacting with, as well as call and text counts and call duration. This makes the data a valuable tool for further social engineering attacks.  Key Takeaways - MFA is No Longer Optional: Single-factor authentication should be a relic of the past. Snowflake has now made MFA mandatory for administrators, but this should be the norm across all user accounts. - Credential Hygiene is Crucial: Regular rotation of credentials and unique, complex passwords for each service can significantly reduce the risk of credential stuffing attacks. - Continuous Monitoring is Key: The ability to detect and respond to unusual activity quickly can make all the difference in mitigating the impact of a breach. Passkeys: The Path Forward The Snowflake breach presents an opportunity to advocate for more advanced authentication methods, such as passkeys based on the FIDO2 standard. Passkeys offer several advantages that could have potentially prevented or mitigated this incident: - Phishing-Resistant: Passkeys are bound to the legitimate website, making them resistant to phishing attacks. - No Shared Secrets: Passkeys eliminate the need for shared secrets, reducing the risk of credential theft. - Built-in MFA: Passkeys inherently provide multi-factor authentication, combining something you have (your device) with something you are (biometric verification). - Improved User Experience: Passkeys offer a seamless login experience, encouraging wider adoption of strong authentication methods. This incident underscores the importance of robust cybersecurity practices and proactive measures to protect sensitive data. Snowflake has since announced measures to help enforce multi-factor authentication on accounts, which is certainly a step in the right direction. However, the methods available are not phishing-resistant and can also be bypassed by a determined hacker. Share further thoughts and questions in the comments below! #cybersecurity #snowflake #AI #cyberattack FIDO Alliance

Bad actors are infiltrating organizations by social engineering the IT helpdesk. How? #identityverification #phishing #cyberattack

Busy week at HYPR as we come together in NYC to collaborate, strategize and spend quality in-person time together. More to come throughout the week! #cybersecurity #identitysecurity #identityassurance

Passkeys aren't the problem - it's the the weaker fallback methods that are. Jeffrey Hickman, HYPR's Head of Solutions Engineering, offers a thoughtful response to a recent article on passkeys, providing clarity around their security and what factors contribute to weaknesses. #cybersecurity #passkeys #CIAM

Trivia Thursday Takeover! Test your cybersecurity knowledge with our special-edition Independence Day trivia. #cybersecurity #cyberthreat #cyberattack

Happy Independence Day from HYPR! We hope everyone is enjoying the day with friends, family, and loved ones.

Identity threats are evolving so rapidly that traditional security measures are no longer sufficient. From emerging generative-AI threats to the latest in passkey technology, HYPR Field CTO Ryan Rowcliffe sits down with Andrew Shikiar, Executive Director and CEO of the FIDO Alliance, to discuss insights from the latest State of Passwordless Identity Assurance report. In this engaging talk, Ryan and Andrew dive into the top identity security threats of 2024 and how organizations can stay ahead of them. Key topics include: - Current Identity Security Practices: Ryan and Andrew explore the strengths and weaknesses of existing security measures and how enterprises are adapting. - Top Causes of Breaches: Discover the primary vulnerabilities leading to breaches and the strategies to mitigate these risks effectively. - Generative-AI Threats: Learn about the evolving landscape of AI-driven threats and innovative ways to combat them. - Passkeys and Identity-First Security: Understand how to build a robust, identity-first security framework to protect your organization. Don't miss out — tune in today. Arm yourself with critical insights to enhance your security posture and safeguard your enterprise against the identity threats of tomorrow. Watch the recorded webinar now for an insider's look at the report's key findings: https://bit.ly/3zpgI6u #cybersecurity #identitysecurity #passwordless

Change management is often the reason many identity projects seem to linger on forever or don't ever get started at all. Driving change across an entire user base is never trivial, especially when IAM teams are driving behavior change along with it. When it comes to MFA, many organizations have recently implemented it. Unfortunately, the vast majority of the time, they implemented the phishable kind. You know, the kind that uses OTP codes and PUSH notifications alongside passwords. These legacy methods of doing MFA have proven to be vulnerable to automated attacks and even when they are successful, hackers will go to the next weakest link in the chain, the IT help desk. By social engineering the IT help desk (usually some combination of KBA), they simply enroll a MFA credential as the target user and have almost unrestricted access to an environment. Today, IAM teams must be able to secure the identity chain throughout. Otherwise all the effort gone into change management is wasted. Here are three tips: 1. Make sure your MFA is phishing resistant, always. 2. Put in place controls to make sure your credential reset process is not vulnerable to social engineering. 3. Put in place a system to monitor identity risk and automatically respond to threats. Here at HYPR, we love a good meme. Enjoy Bojan Simic's Meme Monday, and his recommendations for IAM teams working through product evaluations and change management across large organizations. #cybersecurity #IAM #MFA