Content Copyright © 2023 Bloor. All Rights Reserved.
Also posted on: Bloor blogs
Passwords will never equal security
Passwords and many MFA offerings do little to improve security. People are notoriously lax when it comes to keeping passwords secure and many MFA offerings such as one-time passwords do little to add security over and above passwords. Another downfall of MFA is that it generally does not take into account the security posture of the device being used when a person is seeking to authenticate themselves to access the resources that they need. This is becoming ever more important in an era where remote working, often using personal devices, is the norm.
This is not lost on criminals. According to Verizon’s 2022 Data Breach Investigations Report, there has been a near 30% increase in the use of stolen credentials since 2017. It states that credentials represent “one of the most tried-and-true methods to gain access to an organisation” and are favoured because they are so useful for masquerading as legitimate users on the system.
Stolen credentials, often obtained through social engineering exploits, are behind the vast majority, at around 80%, of ransomware attacks and security breaches.
Passwordless authentication is the first step
Taking these measures is clearly not enough. Users are fallible and handling multiple passwords and factors of authentication is complex and burdensome. The only viable solution is to do away with passwords altogether. The vision of a passwordless future is based on the FIDO (Fast Identity Online) Alliance’s FIDO2 specification, which aims to create strong authentication for the web. This is based on the principle that password-only authentication is a real security problem and is also inconvenient for users.
Passwords are considered to be a knowledge-based authentication method, but memories only go so far. Rather, passwordless authentication relies on something tangible that a user has such as a mobile device or something immutable, such as a biometric identifier. These form much more reliable methods of secure authentication and removes the need to remember credentials and to keep them secure.
Going passwordless is just one step on the journey to the vision of zero trust, whereby no user or device is inherently trusted and must therefore always be verified.
Since passwordless authentication relies on a user device, it is essential that the device being used has been authorised and that it meets the security requirements set to access the resources that a user wishes to access. This goes for all devices, whether they are corporate-issued or personally owned.
To ensure that the device is trusted, a private cryptographic key is stored on the device, which can never be copied or moved so that it remains secure. This private key is paired with a public key that is made available to applications that a user wishes to access to confirm that the device is trusted. Only those unable to unlock the phone will be able to log into applications. This means that it is best paired with an immutable identifier in the form of a biometric identifier. Most modern phones have the capability to read biometrics.
Solving MFA issues
This will also solve the problems inherent in many MFA solutions since the device acts as an authenticating factor, avoiding complexity for the user. Because of this, users are shielded from phishing attempts that look to steal credentials.
With the combination of passwordless authentication, highly secure MFA and device control, authentication events can be continuously monitored throughout a session. For example, should a user disable a security control such as a firewall, such a change will be flagged because the device is no longer considered to be highly secure, forcing a user to reinstate the control before they can continue. This process is based on risk scores generated by the system.
Identity increasingly the cornerstone of threat detection and response
Since so many security incidents occur through the use of stolen or misused credentials, it is clear that identity must be incorporated into threat detection and response processes and activities. Considering identity in isolation will only solve one part of the problem and is insufficient for embedding zero trust throughout the organisation.
Any solution chosen should be capable of analysing risk signals from security controls that in place throughout the security infrastructure in order to improve risk detection and to accelerate responses to any incidents uncovered. It should do this through continuous monitoring to ensure that organisations are not just dealing with a snapshot in time, but are working with real time information that shows the impact of events to the infrastructure over time.
Through such monitoring activities, organisations will be provided with a comprehensive audit trail that will enable them to prove that they are reaching their compliance objectives.
The journey to zero trust
Whilst implementing a zero trust framework is wide and encompassing, solving problems related to identity so that user can access what they need to via trusted devices without the danger that their credentials will be compromised. For many, the journey will be a long one, but sorting out identity issues is a valuable first step.