Stop Bot-Executed Credential Attacks with Passwordless Authentication

Jing Gu | Thursday, October 21, 2021

Bot attacks are a significant security issue for online businesses. Especially with the rise of consumers interacting with businesses online, protecting customer accounts against bad actors is more critical for long-term retention and customer loyalty than ever before.

Research shows that in 2020, bad bot traffic accounted for over 25% of all website traffic, which is a 6.2% increase from 2019. What’s more, over 28% of bots self-report are mobile users which represents a 12.9% increase from the previous year. 

Learn more about how passwordless authentication can help you prevent bot attacks.

What are bot attacks?

Bots are small software programs that run automated scripts. These scripts can be used to crawl websites for search engine indexing, monitor site outages, or perform customer support services. They can also be used for malicious purposes including sending spam, harvesting customer data, executing brute force attacks, and overwhelming services with distributed denial-of-service attacks. 

Bot attacks are attacks that leverage automated scripts to defraud or manipulate applications, users, or devices. Botnet attacks are a subset of bot attacks that leverage a network of computers to carry out malicious activity for purposes for fraud, service disruption, and data breaches. 

While bot attacks can take many forms, account takeover is a particularly lucrative use for bots making it one of the most common attacks companies need to defend against. 

How does going passwordless mitigate bot attacks?

During an account takeover attack, the malicious party tries to authenticate as a legitimate user via credential stuffing using stolen credentials, brute force guessing, rainbow table attack, or reverse brute force attack. 

The common denominator across all these attack methods is the password. Therefore, eliminating the password removes the primary vector for bot attacks. When your login page does not have a password field, there’s nothing for a bot to execute its attack script against. 

However, eliminating the password does not mean that the password is simply hidden for the customer behind a FaceID, one-time code, push notification, or magic link. To deliver full protection against brute force attacks, credential stuffing, and account takeover fraud, passwordless solutions must eliminate the password from the customer experience and the database so that it is never used for authentication nor recovery.

Take bot prevention to the next level with passwordless risk-based authentication

In addition to the automated attacks leveraged against your application, bots can be insidious in that they can infect your customers’ devices without their knowledge. In a mobile context, rooted or jailbroken devices are particularly vulnerable since there are no security parameters around what can or cannot be installed on the device. 

Jailbroken or rooted devices leave customers open to the risk of unwittingly providing malicious bots access to their accounts. Mitigating malware vulnerabilities associated with rooted devices requires some level of visibility into the security posture of the endpoint device prior to login and the ability to make risk-based decisions in response. 

Beyond Identity allows you to capture real-time user and device risk signals including the jailbroken or rooted status, patch level, and more. Additionally, you can utilize these risk signals to implement adaptive risk-based authentication. For instance, if your application contains sensitive customer data such as financial or health-related information, you can choose to deny authentication on rooted devices completely. Alternatively, you can prompt a biometric step-up authentication when jailbroken devices are detected to increase assurance of the login attempt. 

Ready to get started with building a world-class passwordless authentication experience in your products? Contact our customer authentication specialists today