Shared secrets are a piece of data that is known to two or more parties. They are most commonly recognized in the form of passwords, which are known to both service provider and end user. Shared secrets cam be plaintext or another piece of data so long as they are known to the two or more distinct parties. Commonly used in cryptography, a shared secret can be used to decrypt information used in symmetric encryption algorithms, by all parties. Mishandling of shared secrets is a leading cause of identity theft, financial fraud, account takeover (ATO), and mass data breaches. Once in the hands of a hacker, shared secrets enable these bad actors to impersonate the legitimate user and abuse their rights as consumer or employee.
“Shared secrets come in many forms, but the most popular ones used every day are passwords, PINs, and credit card numbers. Even 2-factor codes are shared secrets.”