Zero Trust (ZT) is an important security framework that defines how users inside and outside an organization must be authenticated. At a high level, this means taking continuous measures to assess when and how users can access applications and data. ZT aims to do away with perimeter-based protection schemes and encourages a uniform model for trusted access no matter where users are coming from.
Many companies are dedicating a ton of resources to zero-trust initiatives. There are a number of great public case studies such as the Microsoft initiative or Google's BeyondCorp program which focused on enabling secure remote access for employees without a VPN. Microsoft and Google are also at the forefront of another big trend: Passwordless.
So where do passwords fit into the Zero-Trust concept? The purpose of this guide establish a simple premise:
Passwords make your Zero-Trust program slower, more expensive, and less effective.
Zero-Trust + Passwords = Slow & Expensive
Businesses are encouraged to use modern technologies to verify the user’s identity and maintain system security. The ZT framework itself is based on a simple concept - Don't Trust Anyone.
What is the #1 reason for lack of trust? Passwords.
Passwords are shared, stolen, reused, replayed. They are the hackers' favorite target and entire categories of vendor products exist to make up for the shortcomings of passwords. While passwords are not the only reason for diminished trust they are certainly the most expensive.
Consider how many tools enterprises utilize to protect a password-based environment:
- Phishing Awareness Training
- Multi-Factor Authentication
- Automated Attack Prevention and Detection Tools
- Endpoint Protection
- One or Many Identity Providers
- Device Visibility & Analytics
- Identity Governance
- Fraud Detection Tools
- Risk-Based Policy Management
- Credential-Based Threat Intelligence
- Password Managers or Password Training
- Privilege Access Management
You’re likely to already have multiple security solutions working together. Your tooling ranges from identity providers, to access control, and threat intelligence which are integrated to inform your Trust Algorithm.
The problem with implementations of this framework is that most organizations still depend heavily on passwords and shared secrets. How does a password-based environment negatively impact your Zero-Trust program?
Higher Tooling Costs
Additional tools require more administrators, new user licenses, and may even call for user and help desk training - all of which compound into a more expensive security program. In achieving a "Trust No One" environment you you are likely to purchase ancillary tooling to make up for the risks that come with using passwords. For example, Automated Credential Attacks are likely to happen in an organization where users login with passwords and shared secrets. But if you deployed smart-card enforced desktop login are you sure you need a tool to detect credential reuse attacks? Probably not.
Gaps in MFA Adoption
A key tenet of Zero-Trust is the use of Multi-Factor Authentication (MFA). Organizations often find significant gaps in MFA adoption such as workstation login, RDP, VPN, VDI and a number of edge cases where passwords are the default. These gaps are especially painful for employees who work remotely, travel often, and might use their workstation in public areas. The friction of forcing employees to use Password+MFA for all of these login experiences creates a major adoption hurdle and, in turn, slows down the initiative as a whole.
Slower Time to Value & Resource Constraints
Small businesses need time to procure, configure, and deploy. Large enterprises have long costly RFP cycles requiring a higher level of training and communication across the organization. Moreover, IT and Infosec teams are often under-resourced and overwhelmed; they feel the password pains more than anyone. A successful zero trust program requires focus from these critical departments. Taking passwords out of the equation gives your teams time to focus on everything else.
What Does Passwordless Zero-Trust Look Like?
That’s where True Passwordless MFA comes in. Let’s see what a zero trust experience looks like without passwords. This demo combines the use of HYPR, Okta, and YubiKey to demonstrate what a day in the life of a zero-trust user looks like.
First your employee logs into their computer with Desktop MFA. Then, they continue their journey with True Passwordless SSO into Okta. And, if they require access to a more sensitive app, such as Salesforce, they can be prompted for step up authentication with Windows Hello or YubiKey.
Let's explore the impact of going passwordless as part of your zero trust initiative.
Fewer Passwords = Lower Tooling Costs
Still think you need that automated credential attack tool? Should you purchase a hardware security token for every employee? Or can you reduce the cost by only issuing tokens to admins? Is all that phishing awareness training necessary if your employees don't even have a phishable password? Consider the many ways you can better utilize your budget towards new, urgent resources for your team.
Achieve Higher Levels of Assurance
Replacing passwords with Certificate-Based Authentication allows for the highest level of assurance (NIST AAL3) and visibility. According to NIST SP 800-207 this is an optimal approach for securing enterprise access. With Smart Card enforcement at the workstation level, every user must login with Passwordless Desktop MFA.
Solve the MFA Gaps and Accelerate Adoption
Zero Trust begins at the endpoint, so naturally it should be secured to the highest degree. Whether users are logging into a personal laptop or a shared workstation, passwordless is the best way to solve your desktop MFA gap. The same login experience can then be extended to remote access such as RDP and VPN, as well as Virtual Desktops and Single Sign-On.
Increase Deterrent for Credential Based Attacks
One of the core tenets of Zero Trust model is "the use of Preventative Measures to deter hackers." Let's assume the attacker was aware that your users did not utilize password-based login. How much of a deterrent is that knowledge? Malicious actors are far more likely to move on to an easier target.
Redefining Risk-Based Authentication
Zero Trust encourages continuous authorization. Authentication is no longer considered to be a static event and is happening throughout the digital experience. Passwords can be shared and require a higher level of risk profiling. The requirement to use continuous login prompts and force users to choose between multiple factors create an inconsistent user experience. A passwordless environment that relies on certificate-based authentication inherently carries a much lower level of risk.
More than 50 Billion credential stuffing attacks happened last year. More than 50% of visitors to banking websites are malicious login attempts. Imagine if the security resources used to mitigate these attacks were reprioritized.
Eliminating the password lays the foundation for a powerful Zero-Trust experience that is easy to use and easy to deploy. Between the reduced tooling and allowing infosec to focus on the things that really matter, the ROI of going passwordless cannot be understated.