Will AI agent-fueled attacks force CISOs to fast-track passwordless projects?

Data breaches, social engineering, malware and phishing attacks result in a lot of passwords being leaked. With access to these, AI agents could automate steps of mass account takeover (ATO) from social engineering, deepfakes to user credential abuses. Gartner predicts a 50% reduction in time to exploit account exposures by 2027.

The renewed pressure on passwords may compel CISOs to fast-track passwordless, phishing-resistant authentication, but in so doing they’ll have to weigh up their options, build the business case, and sell the project internally.

In many organizations, MFA is already table stakes, but AI agents have the speed, iteration and sophistication to exploit MFA logins opening the door to attacks that are harder to detect. “We’re seeing targeted phishing attacks using AI and folks giving up their credentials and being phished successfully for the MFA codes, even with number matching,” says Elliott Franklin, CISO with reinsurance business Fortitude Re.

Joining the business two years ago, Franklin started working on identity modernization as one of several projects, adding and retiring some solutions. “We‘ve got Azure, Okta and traditional Active Directory and have just brought on SailPoint to help with the provisioning and deprovisioning,” tells Franklin.

The password policy has been changed, but in light of the risks, going fully passwordless has moved up the priority list of projects. “You need to take that step to combat the AI agents that are going to do the logins, deep fakes, resetting passwords and even able to simulate the MFA,” he said.

Going passwordless may not be on the top of already stretched CISOs agendas, but Franklin believes it will require more urgent attention. “This would fall around fourth on my list and about the same from what I’m hearing from my peers, but that doesn’t mean it can be overlooked,” he said.

How malicious AI agents can be weaponized for cyber attacks

AI agents are autonomous systems that require a user prompt to carry out a series of steps in a workflow. Which is different from agentic AI that refers to AI systems that behave with ‘agency’ and operate independently, making decisions, taking actions, and adapting without direct human intervention such as self-driving vehicles.

In normal use, AI agents can function as coding agents like GitHub Copilot, customer service helpers like Ada and platform assistants like Workday Assistant. If AI agents are weaponized, it raises red flags because it could enable a new class of mass attacks, such as ATO attempts. Already there are real-world examples that show what’s possible.

With credential stuffing, what typically takes hours of scripting and manual input could be automated using leaked or stolen login details. AI agents could simulate human-like browsing behavior to bypass bot detection and dynamically adjust login attempts to overcome CAPTCHA defenses. Researchers at the Federal Institute of Technology in Zurich have demonstrated an AI model that is able to solve certain CAPTCHAs.

AI agents can be used in live social engineering chats or calls, adjusting their responses in real time and adapt tone and style in emails and social media posts. Voice and video deepfakes can impersonate users during biometric or other personalized authentication processes.

In the last six months, polymorphic phishing campaigns have spiked, according to KnowBe4 research. They’re particularly dangerous with spear phishing because they can incorporate publicly available data to build legitimacy with targets.

“AI doesn’t get tired, it can rapidly test and adapt attack strategies based on success/failure patterns to be more effective. And as we’ve been seeing a lot with credential stuffing attacks, it can be enhanced with automation and intelligent retry mechanisms and behavioral mimicry,” says Shaila Rana, senior member at IEEE.

Passwordless options

In retiring passwords, security leaders will need to consider their options — passkeys, biometrics, and third-party login services — looking for the best technical, usability, and security fit. There are pros and cons for each option, and in many cases CISOs may be guided towards one based on their existing environment.

Passkeys, used by Microsoft, Samsung, and Zoho among others, use private device keys and public website keys to authenticate users with a device PIN, biometric, screen unlock pattern or hardware.

“Passkeys are hardware-backed, can be more phishing-resistant, and have a reduced liability of storing credentials. On the other hand, there’s a lot of overhead, especially with recovery complexity and device dependencies, and there are implementation costs,” says Rana.

The FIDO Alliance, originally founded by large tech firms including Microsoft, Google, and PayPal, has developed several open authentication standards, the latest is FIDO2 developed in partnership with W3C. It combines a web authentication API (WebAuthn) that communicates with a browser or external authenticator such as smartphone or security key using a client to authenticator protocol (CTAP).

Microsoft has been working towards passwordless logins for its more than 1 billion users, recently announcing all new accounts will do away with passwords by default. It’s adopting passkeys, built on WebAuthn using a FIDO specification.

“Passkeys are best for organizations that have high security requirements and a technical user base,” Rana says.

Biometrics such as facial recognition, fingerprint scans, and behavioural biometrics are also used to help authenticate users. It’s harder to steal or fake biometrics and requires minimal interaction from users. The disadvantages are privacy concerns, immutable if compromised, and false rejection rates. “Organizations that prioritize ease of use and frictionless experiences with moderate security needs would probably use this option,” she says.

Federated identity management, or federated single sign-on, allows users to authenticate on one domain and then move to another one without signing in again. Federated identity services and systems include Microsoft Entra ID, Okta, Ping Identity, and AWS Cognito.

Federated identity management allows centralized policy enforcement, simplified user experience, and reduced identity silos. Organizations with complex access requirements and diverse application portfolios may find this option attractive for them, according to Rana. “The weaknesses are a single point of failure, you’re stuck with a certain vendor, and there could be complexity with implementation, especially depending on your information architecture.”

Most major identity platforms support common protocols: OAuth 2.0 provides the token-based authorization framework, SAML (security assertion markup language), and OpenID Connect that works with OAuth 2.0 for verifying users.

“CISOs need to look at the regulatory requirements, security posture, threat landscape, expectations of users, and what operational capabilities and resources you have available,” Rana says. “Another main question you have to ask yourself: what is your risk tolerance and risk transfer options?”

The shift to passwordless could also trigger a wider review of authentication that includes the security of providers, vendor assessment, human factors, special protections to high-value accounts, and other zero-trust principles. “Defense in depth and layered approaches will always be fundamental, so while this is an important implementation it’s just not enough,” she says.

The importance of laying out the passwordless journey for the organization

Breaches related to compromised credentials are commonplace and costly for organizations. The threat of AI agents adds a sense of urgency, but that doesn’t mean CISOs can ignore the internal sell.

In addition to assessing the technical options, CISOs will need to make the case for the business about the value of going passwordless and the risks of sticking with the status quo. The challenge is that it looks like adding another cost on top of the money spent on existing authentication tools.

“From a risk management perspective, 83% of data breaches are caused by compromised credentials and yet studies show a million US dollars a year is spent by organizations on password management,” says Mary Attard, Accenture ANZ cyber protection lead.

CISOs need to be looking at managing that risk more securely, reducing the cost associated with managing those passwords and the benefit to employees and the business itself that comes with seamless, passwordless functionality.

Accenture has spent the last five years transitioning away from passwords and chose to adopt Microsoft Hello for Business because it belongs to its existing technology partner. To begin with, the team developed an adoption map that captured foundational steps to identify passwordless options to the end goal of working in a completely passwordless environment. This became an infographic to share within the organization. A change management program included customized messages to staff according to type, role, and situation and identified the actions required.

There was also a keen focus on specific stakeholders such as embedding the new process and tools in the onboarding process for new joiners and offering a “white glove” approach to senior leaders.

Reducing these risks also reduces the potential costs associated with these threats as well as time spent internally dealing with password management. With this improvement, employee experience improves in tandem, according to Attard. “We’ve seen a reduction in help desk calls and an improvement in employee experience because there’s no longer a need to continuously reset passwords, input passwords, and having to remember different passwords for different applications,” she says.

Going passwordless is a rare, good news story for cybersecurity

At Fortitude Re., going passwordless feeds into a larger tool rationalization project. As a six-year-old company that spun off from AGI, it’s a 100% cloud-based outfit without the burden of legacy technical debt. Nonetheless, there are still solutions that can be retired.

In weighing up the options, Franklin considered risk factors and password usability issues. “Deepfake audio calls are now being used to try and steal passwords, the requirement for challenging passwords makes them hard to remember, and dictionary checks will reject many passwords people try to use,” he says.

Federated single sign-on was identified as the best fit for the fully virtual business that operates on a BYOD policy. As a Microsoft 365 business customer, the natural choice was to adopt Entra ID and, although Franklin has found Okta to be a “great product”, it will be surplus to their needs.

“We’re going to consolidate everything into Entra ID and be able to do password lists at the same time. I don’t necessarily prefer Microsoft. They’re not a security company, but they are the enterprise standard, and they’re getting better. And so, we looked at their capabilities for federated single sign on,” Franklin says.

Nonetheless, the board can get nervous when hearing that any security system is being let go and needs to be reassured the overall organizational risk is being reduced. Franklin shared key metrics, emphasized that it would reduce the company’s attack surface, and reduce overall risk.

Like Accenture’s experience, Franklin expects a significant saving in time and costs in doing away with passwords. At CSO’s request, Franklin ran a 90-day report that showed there had been 304 password resets at Fortitude in that time. “Most research firms show that the average cost per reset is between $60 and $70 due to direct and indirect (lost productivity) costs. That would mean $18,240 saved over the past 90 days. This easily helps prove the cost savings in moving to passwordless,” he said. Fortitude employs approximately 500 people.

As a B2B business, Franklin acknowledges that he doesn’t have customers to consider in the typical sense and can focus solely on employee adoption. “Going passwordless, we can really tell a positive story that it will save people the time and hassle remembering and resetting passwords and having to spend time calling the help desk to do it.”

In this respect, Franklin believes it offers a rare opportunity for security to be the good news department, improving the employee experience while saving the business money and reducing risk.

“People are tired of security because we’re the ones tricking them with the phishing test, patching systems, and rebooting every night and they’re losing their work. I think it’s one of the rare times we can say it’s going to be win-win and we can be excited about it,” he said.