Source: Techa Tungateja via Alamy Stock Photo
COMMENTARY
One of the few pieces of information that is truly immutable and potentially invaluable is genetic information. We can't change our genome to any large degree. Unlike biometric data, which may be stored in any number of different algorithmic or hashed structures, genetic information can be invariably reduced to simple sequences of amino acid pairs. The nightmare scenario, then, is bad actors hacking a genetic database and getting access to the biological blueprints to large numbers of people.
Recently, that nightmare came true with the hack of genetic testing company 23andMe. Attackers used classic credential-stuffing techniques to illegally access 14,000 user accounts. But they didn't stop there. Because of sharing features of 23andMe that enable users to share and read data of other users who might be related, the hackers were able to extract genetic data from 6.9 million people. The attackers posted offers on the Dark Web for 1 million profiles. 23andMe did not disclose the full impact until a month after the attack.
To protect users, 23andMe is prompting all users to immediately change their passwords and ensure they are unique and complex. This is good but insufficient. More important, the company is automatically enrolling existing customers into two-factor authentication for an extra layer of security. Rather than wait for the inevitable catastrophic event, every single software-as-a-service (SaaS) app should make 2FA mandatory and best practices should be moved from 2FA to MFA with a minimum of three factors available. It's now a matter of public safety and should be mandatory, just as car manufacturers must include seat belts and airbags in their vehicles.
Network Effects Multiply Impacts of Compromise
Many of our accounts and SaaS applications include networked capabilities that increase exposure exponentially. In the case of 23andMe, exposed data included information from DNA Relatives profiles (5.5 million) and Family Tree profiles (1.4 million) that the 14,000 account users had shared or made accessible. This information included locations, display names, relationship labels, and DNA shared with matches, as well as birth years and locations for some users. While the market value of DNA data for hackers remains unclear, its uniqueness and irreplaceable nature raise concerns about potential misuse and targeting in the future.
Replace 23andMe with Dropbox, Outlook, or Slack, and you can easily see how a relatively small number of exposed accounts can yield data for an entire organization. Access to an Outlook account might yield the names and social connections, along with interactions that could be useful for building more believable social engineering attacks.
This isn't a minor threat. We are increasingly seeing savvy attackers looking for more weakly guarded applications that have considerable networked information to execute broader attacks. According to the 2023 IBM X-Force 2023 Threat Intelligence Index, 41% of successful attacks used phishing and social engineering as their primary vector. For example, the Okta session token incident looked to take advantage of weaker security on its customer support and ticketing system as a means to gather information for phishing attacks against customers. The costs of these attacks are rising and can be staggering. IBM estimates the average breach cost over $4 million and the market capitalization of Okta plummeted billions of dollars after announcing the breach.
A Long Overdue Fix: Mandatory 2FA for Logins
The 23andMe hack hammers home an obvious truth. Username and password combinations aren't only inherently insecure but essentially uninsurable and an unacceptable risk. Even assuming that a password alone provides security is foolish. In security and other certification processes, any company that fails to enable automated 2FA enrollment should be flagged as risky to provide the necessary risk information to partners, investors, customers, and government bodies.
The 2FA must be mandatory and enforced as the price of entry for any SaaS application — no exceptions. Some organizations might complain that such a mandate will introduce additional friction and negatively impact user experience. But innovative application designers have largely solved these problems by building from first principles under the assumption that their users will be required to use 2FA. What's more, numerous leading organizations like GitHub have rolled out 2FA mandates, so there's no shortage of examples of how talented UX teams are handling the challenge.
Curiously, the same claims of friction and inconvenience were once the staple complaint against seat belt mandates. Today, no one blinks, and seat belts are widely accepted. In that same vein, seat belts and airbags for SaaS apps will, in the end, save the world many billions of dollars in reduced losses and increased productivity.
What about passkeys? Unfortunately, they're unlikely to hit critical mass in enterprise for years to come. And passkeys are even more secure when paired with MFA. The challenge, then, will be on SaaS makers to up their usability game and make 2FA and MFA even easier for everyone to use — especially more-secure factors such as biometrics, hardware keys, and authenticator apps.
Genetic data is the canary in the SaaS security coal mine. As more and more of our lives and activities go online, more risk accrues to businesses and consumers alike. Building greater security into SaaS is a public good that will benefit everyone. The best and most obvious step right now is mandating 2FA as a baseline level of security.