Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.

“These shifts suggest that threat actors have revalued credentials as a reliable and preferred initial access vector. As threat actors invest in infostealers to grow their credential repository, enterprises are pushed into a new defense landscape where identity can no longer be guaranteed,” wrote the X-Force report.

Organizations must focus on access control

The only way to prevent the use of valid credentials is to make sure that the person using the account is the person who was issued the credentials. This requires organizations to focus on access control to validate the identity of every user every time they access sensitive information.

Moving towards mobile credentialing

However, the traditional username and password credentials are easily used for cyber crimes. Hackers often break into accounts by figuring out the password using artificial intelligence (AI). Additionally, credentials are often sold on the dark web, making it very easy for a cyber criminal to use valid credentials to launch a breach or attack.

To reduce this risk and increase the likelihood of only valid users gaining access, organizations are turning to mobile credentialing. With this type of identity validation, a user must validate their identity using a mobile device. When the identity is established, the user is assigned a digital key that is unique to their device. Some technologies use a QR code, while others use a link. Each time the user accesses the system, the device uses the digital key to ensure that the assigned person uses the credential. Mobile credentialing can be used for physical access, such as a secure data center located in a building, or for virtual access, such as to a database containing sensitive customer data.

Read the Threat Intelligence Index

Benefits of mobile credentialing

Organizations using mobile credentialing often see the following benefits:

  • Reduced risk: Because users keep their mobile devices with them, the odds of a cyber criminal having access to the credentials and the device are low. Because users need physical access to a device, stolen credential attacks are more challenging to pull off than traditional access control.
  • Lower cost: Mobile access requires less administration, meaning it’s less expensive to operate and maintain. Administrators can more easily add and delete users than traditional access management.
  • Easier to create temporary credentials: With mobile credentialing, system administrators can now more easily and quickly create temporary credentials, such as a contractor or vendor.

Potential pitfalls of mobile credentialing

However, mobile credentialing also brings some challenges. Common issues include:

  • Personal device requirement: Some employees do not want to use their personal devices for work purposes. Organizations must overcome this challenge either by issuing a keycard or business devices.
  • Device must be charged and operational: If the user’s device is out of battery or not currently working, they cannot access applications and systems needed for work-related tasks. Organizations should create an alternative access method for these situations.

The future of mobile credentialing

As more organizations begin using this type of credentialing, employees and users will become used to turning to their personal devices to log in. Organizations that adopt this technology can now evolve their practices and usage as the technology advances. Organizations can reduce the risk of breaches involving valid credentials by reducing their overall risk and vulnerability.

More from Data Protection

How governance, risk and compliance (GRC) addresses growing data liability concerns

4 min read - In an era where businesses increasingly rely on artificial intelligence (AI) and advanced data capabilities, the effectiveness of IT services is more critical than ever. Yet despite the advancements in technology, business leaders are increasingly dissatisfied with their IT departments.According to a study by IBM's Institute for Business Value, confidence in the effectiveness of basic IT services among top executives has significantly declined. While AI promises transformational capabilities, particularly generative artificial intelligence (gen AI), the road to realizing these benefits…

Ransomware on the rise: Healthcare industry attack trends 2024

4 min read - According to the IBM Cost of a Data Breach Report 2024, the global average cost of a data breach reached $4.88 million this year, a 10% increase over 2023.For the healthcare industry, the report offers both good and bad news. The good news is that average data breach costs fell by 10.6% this year. The bad news is that for the 14th year in a row, healthcare tops the list with the most expensive breach recoveries, coming in at $9.77…

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today