Improve user authentication to prevent account takeover and fraud

Poor user experiences directly contribute to most online fraud each year.

82% of all successful data breaches can be traced back to the human element involved in online security — specifically, weak and inadequate passwords remain the largest source of account takeover risk. But users aren’t to blame for weak passwords — the user experience we put them through when they want to create or safeguard their accounts is responsible for introducing these risks.

Playing whack-a-mole with account security

Weak passwords have introduced two major security threats that nearly every application finds themselves playing whack-a-mole to prevent: 1) credential stuffing attacks and 2) account takeover. Credential stuffing involves fraudsters trying to validate whether a username or email and password pair are valid for a particular site, and this brute force method involves sending significant bot activity to applications’ login forms. Account takeover is an attack vector where hackers execute the final step to actually take control over online accounts that belong to another user. Account takeover attacks typically have a financial motive where the attackers intend to use the stolen account to defraud the user directly (e.g. draining funds from a bank account) or the business (e.g. making an e-commerce purchase that the business will ultimately need to refund to the original user). 

Today, most companies spend significant resources and place multiple points of friction in front of good users to reduce credential stuffing and account takeover fraud. For instance,  many applications will integrate bot prevention technologies like reCAPTCHA or hCAPTCHA to reduce credential stuffing attacks and two-factor authentication (often SMS one-time passcodes or TOTP) to reduce the likelihood of a successful account takeover when a user’s password is compromised. 

The anatomy of an account takeover attack

To understand what applications can do better to safeguard users, it’s helpful to better understand the anatomy of an account takeover attack. Account takeover attacks are attractive to fraudsters because they’re both 1) very lucrative and 2) quite scalable. Today, these attacks are fueled by an entire cottage industry of fraud. Different parties often conduct the 3 different steps involved in this attack lifecycle. One fraudulent party often specializes at breaching databases that contain sensitive information like users’ emails and passwords. This party will then sell this information to other parties that will conduct the remaining steps of validating the stolen credentials at other sites (i.e. credential stuffing) and finally exploiting the stolen credentials by executing the logistics involved in the takeover and monetization of the account. 

For more detail on how this entire attack unfolds, consider the 3 primary steps in most account takeovers:

  1. Hackers find a way to break into some application’s database in order to extract emails, usernames, and passwords. 
    • Applications most often successfully targeted for these types of hacks tend to share two key traits: 1) they have a large user base and 2) they are not a security-centric company. (Not being “security-centric” doesn’t mean the application doesn’t care about security – it simply means that security is not the primary consideration for the product and its value proposition. For instance, banking apps and custodial crypto accounts are only valuable if they can safeguard your funds, so these apps typically invest much more heavily in security, which can make them more difficult targets to breach. (Regardless, attackers still recognize that you don’t need to breach Coinbase or Chase in order to steal users’ bank and crypto accounts – further below, we cover the chain of risk across applications in more detail and how a breach at LinkedIn or DoorDash can still put a user’s bank account at risk).
  2. Once attackers have successfully breached an app with a significant number of user profiles and passwords, they now want to determine where else that user may have used the same email and password pair for authenticating themselves. 
    • Attackers realize that stealing a user’s LinkedIn account holds some value, but the value is much lower than stealing that user’s financial accounts and the path to monetization is also more difficult. 
    • At this point, attackers will either sell the list of breached credentials to the highest bidder or invest in software that allows them to programmatically send login requests to applications they’re interested in breaching. This threat is one of the primary reasons we’re often asked to confirm we’re not a robot when signing into applications – fraudsters send bot traffic to these pages in order to deduce whether a user’s stolen DoorDash credentials can also be used at this site. 
  3. Once the attackers have validated where else that user’s stolen credentials can be used, the attack moves to the exploitation phase. Here, attackers seek to inflict as much financial damage as possible on the user and business with the stolen account. 
    • The exact method of fraud and monetization differs based on the type of account that’s been stolen. For instance, an attacker can directly drain a financial account of the money within it, but for a social media app, they may instead choose to leverage it for phishing other users, promoting products for a kickback, or to pursue some other avenue. 

What makes these attacks so frequent and worrisome is the scalability of the attack vector. If you can breach 10 million passwords, validate that 20% of them were also used at a major bank through programmatic means, and then drain those accounts without ever incurring the risk of walking into a bank branch, you’ve essentially outlined a more modern, scalable, global, and relatively low-risk way to become a bank robber.

It’s no surprise that account takeover fraud leads to massive financial losses each year. In 2021, $12 billion was lost due to account takeover, which was a 3X increase from 2018. (For context, that fraud loss figure is roughly 25 times greater than the entire fraud loss due to bank robberies worldwide when it was most recently reported in 2019).

The role of user experience in preventing credential stuffing and account takeover fraud

Over the past couple years, I’ve been helping friends and family make adjustments to their account security posture. To help friends’ audit the health of their online account security, I typically use Google’s password check-up tool. It’s a great tool, but the image below one of these recent audits is a great example of both 1) the security risks that a poor user experience introduces at account creation and 2) how overwhelming we’ve made the UX when users actually want to remedy these issues. 

This particular family member had:

  • 15 known compromised passwords (meaning they’d been exposed in past breaches like those suffered by Yahoo, Target, LinkedIn, etc.)
  • 107 re-used passwords 
  • 109 weak passwords 

How do we end up in a world where a normal user has 200+ insecure accounts? And why are we pushing the entire responsibility of solving this insecurity onto users. This state of insecurity has been created by the suboptimal way we’ve historically built sign-up and login flows, and it can be fixed by improving the user experience when it comes to authentication.

Today, there are two critical shortcomings in the user experience when users create accounts and when they try to improve their overall online account security hygiene. 

  1. We make it really easy for users to shoot themselves in the foot when they create passwords.
    •  If a human is asked to manage hundreds of online accounts and each password requires an upper-case character, digit, and symbol, it’s predictable that users will find a shortcut and re-use the same password that fits all of these requirements across multiple sites. The friction at account creation pushes users to find unsafe shortcuts for themselves, which presents a massive risk for users when one of those sites is hacked. When they reuse passwords across sites, most users don’t intuit the interconnectedness of online security and realize that an insecure password on their streaming service could actually imperil their bank account. And given the decades of failed education on the topic, we need to admit that the end user shouldn’t be solely responsible for mitigating this risk.
  2. Google’s password checkup tool is extremely valuable, but it’s easy to see why users throw their hands in the air when they’re given a 200+ step process to remedy their online security.
    • We’re never going to convince the average user to undergo this much friction to fix their online account security. Instead, we need to solve this issue at the application level, so that users are not asked to be their own security experts. 

Right now, the user experience is broken when it comes to helping users create safer passwords and making it easy to remedy issues. Fortunately, there are modern authentication tools available to applications that can allow for companies to protect their users (and themselves) with minimal engineering effort. 

Using modern authentication tools to prevent account takeover

Over the past few years, the tools to counter account takeover have significantly improved, presenting a great opportunity for applications to leverage these tools to improve the UX and security posture of their authentication flows. Here are some of the key tools that applications should consider integrating to prevent account takeovers and credential stuffing:

  1. Improve the security of your users’ passwords. There are two concrete and simple ways to implement this today: 
    • Do not allow users to use compromised credentials in your sign-up and login flows.
      • There are endless data breaches exposing users’ passwords online, but fortunately, there’s also great data sources to plug into in order to detect these compromised credentials. Any site interested in safeguarding their users’ accounts can use tools like HaveIBeenPwned (or Stytch’s password check API, which supports HaveIBeenPwned along with other safeguards) to prevent users from re-using credentials that are already known to have been stolen in a previous hack when they create a new account. Or, if a user already has an existing password, you can check whether it’s been leaked when that user tries to login again in order to force a password reset in the event it’s been breached (doing so forces account takeover fraudsters to also breach a user’s email account, which is much more difficult given the prevalence of 2FA on email accounts).
    • Move away from friction-heavy and security-light password strength estimations to more modern ways to assess the strength of a password at account creation.
      • Typically, password strength estimation follows the LUDS formula (requiring users to provide a password that includes a lower case character, upper case character, digit, and symbol). Unfortunately, humans are very predictable, and we often end up with insecure passwords that satisfy these conditions but are exceedingly easy for machines to crack (e.g. P@ssword1, Password1!, etc.). Stytch uses Dropbox’s zxcvbn password strength estimator, which provides a flexible strength assessment based on how resistant a password is to modern password guessing techniques. This feature is designed to make picking a strong password easy for humans to generate and hard for robots to guess.
  2. Integrate better bot prevention technologies. 
    • Every site should integrate some form of bot detection and prevention. Google reCAPTCHA remains the standard option, but there are also more advanced products like hCaptcha and Arkose Labs. Any type of bot prevention is better than nothing, but if you find after integrating one of these options that you’re still suffering from attacks on sensitive routes in your application, it’s likely due to the increasing availability (and relatively low cost) of CAPTCHA solving services like Anti CAPTCHA, which make it easy for bots to bypass your CAPTCHA system if the attacker is willing to pay a minimal sum. If you find yourself in your position, reach out to us directly at Stytch so that we can share some more sophisticated options for eliminating the threat of CAPTCHA solving services. On anti-captcha.com, you can see the pricing for these solving services (for instance, an attacker can pay 50 cents to have 1000 image CAPTCHAs solved by these services). 
  3. Consider integrating passwordless technologies, which are much more difficult and expensive for fraudsters to attack. Passwordless technologies are particularly powerful because they can either be layered on as multi-factor authentication or become the primary authentication method for users while reducing user friction. 
    • Most passwordless authentication options are authentication factors that allow users to show proof of “something they have” (e.g. a device, access to an email/phone inbox, YubiKey, etc.) or “something they are” (biometrics like facial recognition, fingerprint identification, etc.). 
Example pricing for CAPTCHA solving services like Anti CAPTA.
  • The two major benefits of passwordless options are the ease of use for users (which can improve conversion to lower customer acquisition costs and increase users’ lifetime value) while also increasing the cost of an attack on the user. Unlike passwords, these methods are not well-suited for scaled attacks because you cannot take a bulk approach to stealing phone numbers, on-device biometrics, or email accounts. This considerably increases the cost of attack, which is why fraudsters focus their efforts on password reuse today. While there are attack vectors focused on certain passwordless technologies (for instance, some users’ phone numbers are targeted when attackers want to take control of their SMS inbox), those attacks are both rarer given the involved cost and easily mitigated by using the appropriate authentication method for your application. For instance, if your application protects financial assets, you may choose not to offer SMS authentication as an option and instead gravitate towards biometric or device-based authentication methods (like TOTP and WebAuthn).
  • Another simple way to explore hybrid support for both passwords and passwordless while improving both the security and user experience of your auth flow is to streamline your password reset flow to include a magic link login option – this way, even if you detect that a user’s password has been breached, they always have the option to change it or simply bypass that friction entirely a log in with a single click. 

There’s not a singular silver bullet to solving the risk of account breaches, but thanks to these modern tools, there are lightweight ways that apps can both improve the user experience of their sign-up and login flows while dramatically reducing account takeover risk. Sign up and explore Stytch’s modern, easy-to-integrate authentication solutions for yourself.