Passwordless Security Guide
The Passwordless Approach to Zero Trust
Zero Trust is an important security framework that defines how users inside and outside an organization must be authenticated and authorized to access corporate resources. At a high level, this means taking preventative and continuous measures to assess when, what and how users can access applications and data. Importantly the framework aims to do away with perimeter-based protection scheme and encourages a uniform model for trusted user access no matter where they are coming from.
Many companies are now dedicating significant resources to zero-trust initiatives. There are a number of great public case studies such as the Microsoft initiative or Google’s BeyondCorp program which focused on enabling secure remote access for employees without a VPN.
As the term has grown in popularity, naturally so has vendor marketing. Many products in recent years have adopted some form of Zero-Trust messaging aimed at security practitioners. This marketing typically follows the formula of “What is Zero Trust and How Does our Product Fit into Your Budget?” The result is a predictable mix of tech jargon and attempts to shoehorn a product into a broader security program.
This guide does not attempt to position any particular product as a Zero Trust Solution. Rather, the intent is to establish a simple premise: Passwords make your Zero-Trust program slower, more expensive, and less effective.
Zero Trust with Passwords
A Zero-Trust approach encourages businesses to use modern technologies to verify the user’s identity and maintain system security. The framework itself is based on a simple concept – Don’t Trust Anyone.
What is the #1 reason for lack of trust? Passwords.
Passwords are shared, stolen, reused, replayed. They are the hackers’ favorite target and entire categories of vendor products exist to make up for the shortcomings of passwords. While passwords are not the only reason for diminished trust they are certainly the most expensive. Consider how many tools enterprises utilize to protect a password-based environment:
- Phishing Awareness Training
- Multi-Factor Authentication
- Automated Attack Prevention and Detection Tools
- Endpoint Protection
- One or Many Identity Providers
- Device Visibility & Analytics
- Identity Governance
- Fraud Detection Tools
- Risk-Based Policy Management
- Credential-Based Threat Intelligence
- Password Managers or Password Training
- Privilege Access Management
The pain of passwords goes a long way and has always been felt across the organization. But how does a password-based environment negatively impact your Zero-Trust program?
Additional tools require more administrators, new user licenses, and may even call for user and help desk training – all of which compound into a more expensive security program. In achieving a “Trust No One” environment you you are likely to purchase ancillary tooling to make up for the risk creating by passwords. For example, Automated Credential Attacks are likely to happen in an organization where users login with passwords and shared secrets. But if you deployed smart-card enforced desktop login are you sure you need a tool to detect credential reuse attacks? Probably not.
Gaps in MFA Adoption
A key tenet of Zero-Trust is the need to deploy Multi-Factor Authentication (MFA). As organizations progress down the path they often discover significant gaps in MFA adoption such as desktop/workstation login, RDP, VPN, VDI and a number of edge cases where passwords are the default. These gaps are especially painful for employees who work remotely, travel often, and might use their workstation in public areas. The friction of forcing employees to use Password+MFA for all of these login experiences creates a major adoption hurdle and, in turn, slows down the initiative as a whole.
Slower Progress & Resource Constraints
Small businesses need time to procure, deploy configure and tie everything together. Big enterprises have long costly RFP cycles and require a higher level of training and communication across the large organization. No matter what your org looks like time to value is a key metric of your zero trust initiative. Moreover, IT and Infosec teams are often under-resourced and overwhelmed. They also feel the password pains more than anyone, creating yet another time sink for an already constrained org. A successful zero trust program requires focus from these critical departments. Taking passwords out of the equation gives your teams time to focus on everything else.
A Passwordless Zero-Trust Model
Passwordless authentication establishes a strong foundation upon which zero-trust initiatives are built. What is the impact?
Reduce Tooling = Lower Costs
Taking passwords out of the attack surface frees up a lot of your budget. Still think you need that Automated credential attack tool? Not necessary. Do you really need to give every single employee a hardware security token? Or can you reduce the cost by issuing tokens to only admins? Is all that phishing awareness training necessary if your employees don’t even have a phishable password? Consider how you can better utilize that budget towards new, urgent resources for your team.
Achieve Higher Levels of Assurance
Removing the password and using Certificate-Based Authentication allows for the highest level of assurance (NIST AAL3) and visibility for the enterprise. According to NIST SP 800-207 this is the optimal approach for securing enterprise access. With Smart Card enforcement at the workstation level, every user must login with Passwordless Desktop MFA.
Solve the MFA Gaps and Accelerate Adoption
Zero Trust begins at the endpoint, so naturally it should be secured to the highest degree. Whether users are logging into a Windows, Mac, personal or shared workstation, passwordless authentication is the best way to solve the desktop MFA gap. The same login experience can then be extended to passwordless remote access such as RDP and VPN, as well as Virtual Desktops and Single Sign-On. The outcome is a consistent login experience that stays with your user from initial login and throughout.
Increase Deterrent for Credential Based Attacks
One of the core tenets of Zero Trust model is the use of Preventative Measures to deter hackers. Let’s assume the attacker was aware that your users did not utilize password-based authentication. How much of a deterrent is that knowledge? Malicious actors are likely to move on to an easier target.
Redefining Risk-Based Authentication
Zero Trust encourages a continuously authenticated user experience. In the modern era, authentication is no longer considered to be a static event and is happening throughout the digital experience. Passwords can be shared and require a higher level of risk profiling – this hinders your ability to continuously authenticate a user with a high level of assurance (LOA). Furthermore, the requirement to use continuous login prompts and force users to choose between multiple factors create an inconsistent user experience. A passwordless environment that relies on certificate-based authentication inherently carries a much lower level of risk. Eliminating the password lays the foundation for a continuous authentication experience with a high LOA that is easy to use.
Free Up IT Resources for Faster Program Cycles
Between the reduced tooling and Allowing infosec to focus on the things that really matter. More than 50B credential stuffing attacks happened last year. More than 50% of visitors to banking websites are malicious login attempts. Imagine if those resources were spent on OpSec.
What Does a Passwordless Zero Trust Look Like?
This demo combines the use of HYPR, Okta, and YubiKey to demonstrate what a day in the life of a zero-trust user looks like.