Lapsus$ and the Benefits of Decoupling Authentication

Over the past few weeks, the fairly new on the scene Lapsus$ Group has achieved notoriety for supposedly breaching a number of significant companies including Nvidia. We obviously can’t validate exactly whether these breaches occurred or how they were executed outside of what’s been released publicly by the impacted organizations. But it’s more clear than ever: Today’s cyberthreats require authentication to be as breach-resistant and phishing-resistant as humanly possible. Interestingly, Nvidia did disclose that the hackers had compromised both a password and 2nd-factor authentication. In other words, their legacy multi-factor authentication (MFA) solution was compromised.

Decouple to Eliminate the Password: One step which target companies need to consider is decoupling MFA from their IdP. This has a couple of key benefits. To start, this enables companies to move to phishing-resistant MFA as required by the Zero Trust Authentication requirements recently released by the Federal OMB. The MFA checkbox has moved — hackers have shown that they can easily bypass traditional solutions through push fatigue or taking advantage of other gaps in the solution. To get to phishing-resistant MFA, security teams must eliminate all shared secrets.

Decouple to Improve the User Experience: The other advantage of decoupling is to provide a consistent user experience across multiple IdPs. Many of the organizations that we work with — particularly those who have grown through acquisitions — find that they have multiple IdPs and therefore an inconsistent user experience for authentication, including their MFA solution. Only by decoupling from the identity provider can organizations provide a homogenous user experience. HYPR research has shown that push attacks are up by 33% over the past year and we expect this to continue. To get to phishing-resistant MFA, security teams are well-advised to provide a consistent user experience across platforms and applications. 

All of the organizations who were supposedly breached are sophisticated organizations with strong security programs. They are the elite. Despite that, Brazilian-based hackers apparently penetrated their defenses. Separating identity and authorization is one way to change the economics of attack in favor of the defender.

For a more in-depth take on decoupling identity and authentication, watch the fireside chat between industry analyst Simon Moffatt and HYPR CEO Bojan Simic or read this white paper.