For far too long the security of an organization's internal systems and its customers’ accounts has depended on the use of passwords, a fundamentally flawed approach that was designed many decades ago. While attempts have been made to build better more secure authentication methods, most still put the onus on the user. This includes remembering a password, not clicking unsafe phishing links, not accidentally giving away credentials to adversaries in a social engineering attack, and not accepting an illicit push notification in a “prompt bombing” attack.
Nowadays people are more aware of these risks. But humans will make mistakes and it is human nature generally to be trusting, which is why criminals find it so easy to feast on unsuspecting users.
Don’t put the onus on humans
We need to bring authentication into the modern world of zero trust. However, expecting people to approach authentication with a zero trust mindset is never going to work, no matter how much education we put in place. Even when our employees and our customers remain suspicious and vigilant, adversaries simply have the upper hand.
Attackers are now easily bypassing first-generation multi-factor authentication (MFA) including one-time-passwords, magic links, and push notifications. Attackers have readily available phishing kits and phishing-as-a-service capabilities they can employ to launch adversary-in-the-middle (AiTM) attacks. They also have techniques for making very credible fishing emails, including the use of ChatGPT and other AI-powered aids, that remove tell-tale signs like spelling and grammar mistakes or wonky-looking URLs.
While fostering a security-conscious culture certainly helps, it can’t guard against malicious actors stealing valid credentials, obtaining them from the dark web and using MFA bypass methods to gain entry as a legitimate user. With outdated authentication, adversaries are simply logging in. This is a technical problem and it needs a sound technical solution that takes the user out of the loop.
Crowdstrike’s recent research reminds us of the extent of the problem, highlighting that in 2022 adversaries used compromised credentials as the initial attack vector in over 75% of all cyberattacks. A decade worth of analysis from the Verizon Data Breach Investigation Report validates that the vast majority of data breaches and successful ransomware attacks begin with compromised credentials. Remote and hybrid working hasn’t helped either, with major attacks involving a mobile or IoT device increasing by 22% between 2021 and 2022, according to Verizon.
To compound the issue, it’s not just employees and customers that organisations need to consider, but also contractors and workers in their extended supply chain. If users' identities are compromised anywhere in the extended ecosystem, criminals have a way in.
The logical conclusion is to take the responsibility for secure authentication away from the individual and instead do it in a way that renders stolen credentials and MFA bypass attacks useless. This is where Zero Trust Authentication (ZTA) comes in.
Beyond Identity
Foundational elements of Zero Trust Authentication
There are four foundational elements of a strong, modern authentication capability that meets the very high bar for zero trust.
First is the elimination of weak identity authentication factors including passwords and first gen MFA. The use of multiple strong authentication factors, including cryptographic keys like FIDO passkeys, and biometrics built into modern endpoints (e.g., fingerprint, facial recognition) provides a robust way to validate the user identity. However, the solution must not only use strong factors, it must be architected to defend against AiTM methods, where adversaries use a proxy to steal access tokens.
Thus even if the factors themselves are not susceptible to AiTM, the authentication transaction itself and the access token may be open to exploitation. Using local biometrics, stored in secure hardware (e.g.,. a trusted platform module, or TPM) and public/private key cryptography (e.g., passkeys) where the private key is securely stored in the TPM is critically important. But using what the U. S. National Institute of Standards and Technology (NIST) calls verifier impersonation can thwart any AiTM attack and avoid handing an attacker an access token they can use to gain access from anywhere.
Second, a modern authentication solution must establish a high level of trust in the device that is being used to log in to systems and applications. The solution needs to establish whether employees (and contractors) or customers are logging in from an authorized device. First generation MFA like push notifications and one-time passwords will easily allow a user to log in from a less-than-ideal device - for example, a “pre-compromised” computer in a hotel lobby or internet cafe. The ability to cryptographically bind a user to their device (using public/private key cryptography - eg., FIDO passkeys) eliminates the risk of a valid user, logging in from an unauthorized, and potentially compromised, device.
Knowing whether the device is authorized is only part of the equation. A modern authentication solution needs to ensure that endpoint security controls are configured and working at the time of authentication. That means checking the security posture of the device against policy. For example checking whether the lock screen, local pin code and biometrics are enabled, that the firewall is on, and the hard drive is encrypted. It also includes making sure that security software like mobile device management (MDM) and endpoint detection and response (EDR) are installed and working properly at the time of authentication. This second element, device trust, ensures that only authorized and appropriately secure devices are able to gain access to systems, apps and data.
Once-and-done isn’t good enough
Today, once the authentication transaction is completed, the user is granted an access token that remains valid for a period of time - sometimes a few hours but often days or even weeks. But, as we all know, things change. So this once and done approach to traditional authentication is no longer good enough. This brings us to the third element of a modern Zero Trust Authentication solution. It starts from the principle that an access request is never trusted. Each time the user identity and device trust must be thoroughly validated.
However, since things can, and do change. For example, an end user can alter security settings, or an attacker can trick the user into installing malware that changes security settings or provides a backdoor on the device. Thus, we need to continuously re-check that the device security posture remains within policy and that security tools like EDR are not indicating a potential risk. This requires that a modern authentication solution be able to continuously validate trust in the user and the device - never trust, always (re) verify. This includes checking user behaviour signals (e.g., impossible travel scenarios), device security posture settings and interacting with tools like MDM and EDR to acquire additional risk signals.
If you see something, do something
The fourth element of a modern authentication solution is the ability to take action. If the user identity or device becomes compromised or signals indicate a possible problem, the authentication solution needs to stop the potential attacker from using their initial access to gain further access into critical systems and data. Many organizations have implemented tools like zero trust network access (ZTNA) and EDR. A Zero Trust Authentication solution needs to be able to communicate with other security tools, in order to drop a network connection or even quarantine suspicious devices. These actions must be available during the authentication transaction and during the continuous use and device checks that need to happen after initial authentication.
Benefits of Zero Trust Authentication
By implementing Zero Trust Authentication, security teams can remove the single largest attack vector currently facing organizations - compromised credentials and weak MFA. Not only can they measurably improve security and compliance, but they can make further savings by eliminating the work associated with resetting passwords and other support activities. Never again will they have the hassle of remembering passwords and the inconvenience of getting accidentally locked out of applications both at work and at home.
Another advantage of Zero Trust Authentication solutions is that they can be deployed in stages. Security teams can address high-priority areas first to provide early wins and build credibility. Or they can be rolled out enterprise-wide in as little as 60 to 90 days with the right change management program in place. As the US Government has noted, moving to a passwordless, phishing-resistant MFA has become an absolute “must have.” Adding a completed Zero Trust Authentication solution that includes device trust, continuous authentication and the ability to take corrective action will help organizations finally shut the front door on adversaries.
All systems go for Zero Trust Authentication
Looking back at the history of passwords and the massive number of breaches they have caused, it’s hard to understand why Zero Trust Authentication didn’t become the standard sooner. With the FIDO2 standard, passwordless and phishing-resistant MFA solutions that work across platforms are becoming widely available. More advanced authentication solutions that meet the zero trust mandate are available from vendors like Beyond Identity. Today everything is in place to significantly mitigate substantial user identity and device risks and to place the onus on technology rather than end users.
