COMMENT
One of the few truly immutable and potentially valuable pieces of information is genetic information. We cannot change our genome to a large extent. Unlike biometric data, which can be stored in any number of different algorithmic structures or hashes, genetic information can invariably be reduced to simple sequences of amino acid pairs. The nightmare scenario, then, is bad actors hacking into a genetic database and giving access to biological blueprints to large numbers of people.
Recently, that nightmare came true with the hacking of genetic testing company 23andMe. The attackers used the classic credential filling techniques to illegally access 14,000 user accounts. But they didn’t stop there. Thanks to 23andMe’s sharing features that allow users to share and read the data of other users who may be related, hackers were able to extract genetic data of 6.9 million people. The attackers posted offers on the Dark Web for 1 million profiles. 23andMe didn’t reveal the full impact until a month after the attack.
To protect users, 23andMe encourages all users to immediately change their passwords and ensure they are unique and strong. This is positive but insufficient. More importantly, the company is automatically enrolling existing customers in two-factor authentication for an added layer of security. Rather than wait for the inevitable catastrophic event, every single Software-as-a-Service (SaaS) app should make 2FA mandatory and best practices should be moved from 2FA to MFA with a minimum of three factors available. It is now a matter of public safety and should be mandatory, just as car manufacturers must include seat belts and airbags in their vehicles.
Network effects multiply the impacts of compromise
Many of our SaaS accounts and applications include networking features that increase exposure exponentially. In the case of 23andMe, the exposed data included information from Relatives DNA profiles (5.5 million) and Family Tree profiles (1.4 million) that the account’s 14,000 users had shared or made accessible. This information included locations, display names, relationship labels, and DNA shared with matches, as well as birth years and locations for some users. While the market value of DNA data to hackers remains unclear, its uniqueness and irreplaceable nature raise concerns about potential misuse and attacks in the future.
Replace 23andMe with Dropbox, Outlook, or Slack and you can easily see how a relatively small number of exposed accounts can produce data for an entire organization. Access to an Outlook account could provide names and social connections, along with interactions that could be useful in creating more credible social engineering attacks.
This is no minor threat. We increasingly see skilled attackers looking for less secure applications that have considerable information on the network to carry out larger attacks. According to the IBM X-Force 2023 Threat Intelligence Index 2023, 41% of successful attacks used phishing and social engineering as the primary vector. For example, the Okta session token incident sought to exploit the weaker security of its customer support and ticketing system as a means of gathering information for phishing attacks against customers. The costs of these attacks are increasing and can be staggering. IBM estimates that the average cost of a breach exceeds $4 million and the Okta’s market capitalization fell by billions of dollars after announcing the violation.
A long-awaited solution: mandatory 2FA for logins
The 23andMe hack reveals an obvious truth. Username and password combinations are not only inherently insecure but essentially uninsurable and represent an unacceptable risk. Even assuming that the password alone guarantees security is foolish. In security and other certification processes, any company that fails to enable automated 2FA enrollment should be flagged as risky to provide necessary risk information to partners, investors, customers and government agencies.
2FA should be mandatory and charged as the price of entry for any SaaS application, without exceptions. Some organizations may complain that such a mandate will introduce additional friction and negatively impact user experience. But innovative application designers have largely solved these problems based on first principles under the assumption that their users will be required to use 2FA. Additionally, numerous leading organizations like GitHub have implemented 2FA mandates, so there’s no shortage of examples of how talented UX teams are handling the challenge.
Curiously, the same charges of friction and discomfort were once the leading complaint against mandatory seat belts. Today, no one bats an eye and seat belts are widely accepted. Likewise, seat belts and airbags for SaaS apps will ultimately save the world many billions of dollars in terms of reducing losses and increasing productivity.
And the passkeys? Unfortunately, they are unlikely to reach critical mass in enterprises in the years to come. And passkeys are even more secure when paired with MFA. The challenge, then, will be on SaaS vendors to up their usability game and make 2FA and MFA even easier for everyone to use, especially more secure factors like biometrics, hardware keys, and authentication apps.
Genetic data is the canary in the SaaS security coal mine. As more lives and businesses move online, risks for both businesses and consumers increase. Building greater security into SaaS is a public good that will benefit everyone. The best and most obvious step right now is to enforce 2FA as the basic security layer.