Modern authentication in the hybrid working era

Representational image of data security
(Image credit: Kingston)

Remote working is not a new concept, but before 2020 it tended to be restricted to a limited selection of roles when it came to white-collar jobs. Aside from business trips, most workers were expected to be at their desks for business hours, with home working being the exception rather than the rule.

About the author

Tom Jermoluk is Cofounder and CEO of Beyond Identity.

Post-2020 though, more businesses have realized the benefits of a hybrid working environment that allows greater freedom between the office and remote working. The latest ONS findings indicate around a quarter of UK businesses intend to use increased homeworking going forward, with the figure shooting up to nearly half of firms in the information and communication industry. Employees who have had a taste of homeworking are particularly keen on maintaining this approach – 85 percent say they want to use a hybrid approach moving forwards.

The workforce is not the only thing to migrate out of the office. More and more of the underlying technology has left the building too. Cloud migration had been well underway for most businesses for years, with the pandemic accelerating the process. Many organizations are now built on infrastructure-as-a-service models like AWS or Microsoft Azure, and using a range of software-as-a-service (SaaS) based apps.

However, this dispersed digital infrastructure also means that traditional security strategies are becoming increasingly irrelevant. So how can organizations keep their hybrid environments secure?

How remote working has highlighted the password problem

With employees logging in from multiple different locations as a standard, the old “castle and moat” approach to cybersecurity, where there was only one well protected gate - the firewall - to keep the bad guys out and let the good guys in, simply doesn’t work. To stretch the castle metaphor further still, today most of the villagers live and work outside of the castle walls. Things were easier when we could build a wall around the village and just project the main entry/exit points. But since the villagers need to leave the village to get to the resources they need for work the old network-centric security has become obsolete.

Accordingly, the greatest security challenge today is validating the identity of users and ensuring endpoint devices are secure before granting them access to critical apps and data. Identity authentication has long been established by username/password combinations. Passwords were always a bad choice. They are frequently stolen using social engineering techniques (phishing sites, etc.) or credential theft malware and reused by attackers to access systems and data. Passwords are also exploited by adversaries through brute force attacks that systematically try thousands of commonly used passwords to gain access. The latest Verizon Data Breach Investigations Report found that around 60 percent of all security incidents in 2020 involved credentials.

Further, the proliferation of cloud-based applications means workers now have more credentials to keep track of than ever before. This increases the likelihood of them simply repeating their favorite combination across multiple different apps and services. As a result, a single stolen credential can often be used in half a dozen different places.

These issues have not been helped by the fact that password advice tends to range from unhelpful to downright counterproductive. The prevailing wisdom around longer, stronger passwords makes little difference if they are entered into a phishing site or when the threat actors install malware on devices to steal them. The phishing site or malware does not care if the password is four or four hundred characters long or whether it has special characters. It is happy to steal passwords of any length or complexity.

The result is that bad actors no longer need to break into the networks and applications, they simply login.

The need for strong authentication and risk based access

So how do you keep the company secure when most of the workforce is scattered for miles at any given time and accessing a range of applications outside the corporate network? The biggest priorities are the ability to reliably confirm the identity of the user behind the device, as well as the security of the device itself.

This requires a secure way to authenticate users, validate the devices and a risk-based process to evaluate whether it is appropriately secure before allowing access to critical resources and data. So, for example, a device being used to access low risk assets would not require the same scrutiny as a device being used to access a mission critical system or data that needs to be well protected. This process has become more important in the hybrid work and computing environment as workers may need to use a combination of work issued and BYOD endpoints.

Passwords alone are useless for authentication. Multifactor authentication (MFA) is often touted as the answer to improve trust of the user identity. But legacy MFA systems use insecure passwords as a foundation and add other weak factors such as one-time passwords sent over an insecure SMS or email. MFA based on push notifications are exploited by attackers using social engineering techniques -- sending multiple notifications in succession that many users will eventually just accept to stop the annoying messages. These solutions are like placing a screen door in front of a weak wooden door. Two weak doors do not make the building more secure. Any MFA that can be phished or socially engineered will leave systems vulnerable to attack.

More importantly, particularly in the new remote working and cloud computing models, legacy MFA was simply not designed to validate the device or evaluate how secure the device is. With legacy MFA a user can log in from any device without any way to know whether the device is secure. This leaves systems and data exposed to systems that may already be compromised.

The best approach is to erase the password entirely and move to passwordless MFA. This uses only fundamentally strong factors and has the ability to determine whether the device being used to access apps and data is trustworthy.

Delivering reliable security without compromising user experience

The most effective way of replacing passwords is to implement the same asymmetric encryption used in Transport Layer Security (TLS). TLS is best recognized as the lock that appears in the browser. It uses public/private key pairs and X.509 certificates to validate internet servers and set up a secure and private communications channel. This technique is used across the internet to secure trillions of dollars of online financial transactions daily. 

This same proven, secure method can be used to replace passwords and establish trust in a device. By leveraging chips built in modern endpoints a private key can be securely stored in hardware (TPM or Enclave) so that it cannot be accessed, copied or moved. The associated public key can then be stored in the cloud. During every login the system creates and signs a new X.509 certificate with the private key. The app can then validate the certificate using the public key. This method cryptographically binds a user identity to the device so that both can be reliably authenticated. There is nothing for attackers to steal and reuse or copy. This fundamentally strong authentication can be used in combination with secure biometric authentication present in modern endpoints to implement strong multi-factor authentication with a very low friction user experience.

A solution that meets the needs of modern work and computing environments must also be able to assess the security posture of the device and apply risk-based policies -- ensuring that only devices that meet security and compliance policies have access to apps and data. In the modern hybrid environment, every worker needs reliable access to essential assets on premises and off, from any location and with a variety of devices. Each endpoint has become its perimeter, and strong, risk-based authentication is the key to keeping it secure.

Tom Jermoluk is Cofounder and CEO of Beyond Identity.