Today, the first Thursday of May, is World Password Day, when users are reminded to change their passwords and are implored to refrain from using the same passwords for different services. For those of us in security, maintaining strong passwords and changing them frequently is the absolute minimum requirement for enterprise users. But it’s a minimum that often goes unmet. Despite password managers, users remain guided by convenience and, as such, prefer the simplicity of a single password.
Such user behavior opens the door to password or credential stuffing. After all, once an attacker has captured the relevant login information for one site, it’s easy to gain access to a wide variety of services with the help of a single password.
This desire for convenience has also led to the increased use of federated identity providers (IdPs). Federated IdPs link a user's identity across multiple security domains, each supporting its own identity management system. When two domains are federated, the user can authenticate to one domain, and then access resources in another domain without having to log in a second time. While federated IdP offers advantages for the enterprise and is great for usability, it does introduce some risks, such as unauthorized access, especially if the services granting access to users are misconfigured or compromised in any way.
Another option for authentication is to go passwordless. PKI-based methods use a one-time certificate to verify the identity of the user and thus can dispense with classic passwords so that the user experience is taken into account. However, the infrastructure behind this authentication concept is complex and costly to operate. Other password-free approaches, such as SQRL, have a hard time getting their way around the business environment because this public domain method cannot provide the required support structure.
The adoption rate of a passwordless approach leaves something to be desired because all applications would have to support this passwordless model, and that’s a challenge, especially in the area of long-lived applications. Modern, cloud-based solutions, therefore, rely on SAML or other token-based authentication methods, such as Kerberos or Open ID Connect.
Ultimately, the interplay of the classic three factors of authentication offers state-of-the-art security. The combination of something the user knows (the password), something the user has (a token, Google Authenticator, SMS, YubiKey), and a personal or biometric criterion (fingerprint, voice, or face) forms the basis of strong, multi-factor authentication. Identity providers rely on this principle, which combines convenience and security when accessing applications. After multi-factor authentication, the user automatically gains access to downstream applications.
After replacing the classic password as the access methodology for a variety of services with multifactor authentication, companies should increasingly consider how to ensure secure access to applications that move to the cloud. The more applications migrate to modern cloud environments, the more we must emphasize the issue of cloud-based access control mechanisms. A promising way is to combine password-free authentication with traditional methods.
In connection with the cloud and secure remote access to data and applications that are no longer stored in the corporate network, the term “zero trust” has become another hotly discussed, and sometimes misunderstood, component of user authentication. Skeptics worry that using only one-time authentication, unauthorized users will be able to access approved services. However, Gartner believes that a Continuous Adaptive Risk and Trust Assessment (CARTA) model, which starts with a posture of zero trust, can serve as the foundation for continuous monitoring and assessment of a user’s validity and trustworthiness.
The password’s day has passed. The age of the cloud requires a whole new approach to secure access. Gartner recommends a software-defined perimeter (SDP) solution. SDPs allow teams to establish trust, provide secure access based on context—such as the identity of the user, the device, and more—and provide ongoing monitoring for continuous risk assessment.
That’s a far more secure approach for the cloud and mobile world. And infinitely more secure than relying on users who insist on the same weak password for online banking, WhatsApp, dating sites, Netflix, Amazon, and Spotify. Along with your enterprise network.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rainer Rehm is the Zscaler EMEA Data Protection Officer