Lapsus$ and the Benefits of Decoupling Authentication
Jay Roxe, HYPR
2 Min. Read | March 22, 2022
Over the past few weeks, the fairly new on the scene Lapsus$ Group has achieved notoriety for supposedly breaching a number of significant companies including Nvidia. We obviously can’t validate exactly whether these breaches occurred or how they were executed outside of what’s been released publicly by the impacted organizations. But it’s more clear than ever: Today’s cyberthreats require authentication to be as breach-resistant and phishing-resistant as humanly possible. Interestingly, Nvidia did disclose that the hackers had compromised both a password and 2nd-factor authentication. In other words, their legacy multi-factor authentication (MFA) solution was compromised.
Decouple to Eliminate the Password: One step which target companies need to consider is decoupling MFA from their IdP. This has a couple of key benefits. To start, this enables companies to move to phishing-resistant MFA as required by the Zero Trust Authentication requirements recently released by the Federal OMB. The MFA checkbox has moved — hackers have shown that they can easily bypass traditional solutions through push fatigue or taking advantage of other gaps in the solution. To get to phishing-resistant MFA, security teams must eliminate all shared secrets.
Decouple to Improve the User Experience: The other advantage of decoupling is to provide a consistent user experience across multiple IdPs. Many of the organizations that we work with — particularly those who have grown through acquisitions — find that they have multiple IdPs and therefore an inconsistent user experience for authentication, including their MFA solution. Only by decoupling from the identity provider can organizations provide a homogenous user experience. HYPR research has shown that push attacks are up by 33% over the past year and we expect this to continue. To get to phishing-resistant MFA, security teams are well-advised to provide a consistent user experience across platforms and applications.
All of the organizations who were supposedly breached are sophisticated organizations with strong security programs. They are the elite. Despite that, Brazilian-based hackers apparently penetrated their defenses. Separating identity and authorization is one way to change the economics of attack in favor of the defender.
Jay Roxe is Chief Marketing Officer at HYPR where he is responsible for elevating the company story and helping to define the passwordless security category. Prior to joining HYPR, Jay held the same role at BitSight where he helped to define the Security Ratings category. Jay has more than 20 years of experience in software development and marketing with expertise in security, electronic medical records, and development platforms at a variety of companies including Rapid7 and athenahealth.