Going Passwordless: A Zero Trust Environment
By Paramesh Vaidyanathan, Skytop Contributor / August 22nd, 2022
Paramesh Vaidyanathan is a software technologist with over three decades of experience. Based out of the Seattle area, Paramesh spent 23 years building software and leading teams at Microsoft Corporation. His experience spans platform and infrastructure software (Microsoft Windows family of products), and developer tools (Microsoft Visual Studio). With an initial focus on local area networking performance and quality, Paramesh went on to lead large engineering teams there. His stint included a five year stint as one of the key leaders of Microsoft’s India Development Center in Hyderabad, India. Since “retiring” from Microsoft in 2012, Paramesh has spent his time, efforts and money working with, advising, and investing in software startups in the fields of Healthcare, Education, and Cybersecurity. He consults through his company, Yenodu LLC, that he co-founded with his wife in 2012. His current focus is on helping companies large and small, particularly in Healthcare, become more Cybersecurity aware and ready.
Paramesh has a Master’s Degree in Electrical (Computer) Engineering from Virginia Tech, and a Bachelor’s Degree in Electrical and Electronics Engineering from Anna University, Chennai, India. In his spare time, Paramesh dabbles in gardening, reading and playing bridge.
Why Zero Trust
With workplace shifts to support remote users, a hybrid workforce model is now a reality. It is imperative for businesses to allow access from anywhere while delivering an optimal user experience. Along with application delivery from the cloud, private or public, development teams deliver at unprecedented pace. This is forcing the rapid creation of models to architect, deliver and consume. Retaining traditional models of implied trust exposes larger surfaces to attack, and makes it easier for attackers to move laterally, quickly and silently. As companies grow, infrastructure is no longer co-located, and there is an explosion of interconnection. And, connected things (IoT) have more access than they need. Further, any entity or device that is internet-facing poses an immediate risk.
The Old Model
The old model of implicit trust that was built on the assumption of static, on-premises workforces are no longer sufficient. The traditional IT maintenance and patching routines are incapable of thwarting the exploitation from hackers. Consequently, companies are actively looking to move to a Zero Trust security model to protect themselves from the constantly increasing cyber threats that they face.
A Strategic Framework
Zero Trust is a strategic framework that protects against identity and access-based security risks by requiring all users, inside and outside the company’s network, to be authenticated, authorized, and continuously validated for security configuration before being granted access to any resources. Instead of just checking access rights at the network perimeter, Zero Trust authenticates and validates users and devices over the network and at endpoints. This allows explicit protection to applications and data against new and emergent threats. In other words, just because users or devices are inside an enterprise perimeter or trusted network, they are not guaranteed automatic access to any or all data.
Why Passwordless
Deploying a Zero Trust architecture enables streamlining authentication through multi-factor authentication (MFA), with a focus on “who you are” rather than “where you are”. A key founding principle for Zero Trust is to never trust but always verify every attempt to access a resource, whether the access is being attempted from inside the network or outside. Going Passwordless is one of the most important operating requirements of Zero Trust.
Dozens of Passwords
It is an alarming fact that most users have dozens of passwords — according to a study conducted by NordPass, on average a person has 100 passwords, and a whopping two-thirds of us reuse them often. Despite the best efforts of IT departments, many employees don’t change their passwords, placing the company at grave danger. Enter Passwordless authentication.
Authenticate and Validate
Passwordless authentication enables users to access resources on the corporate network by using something they have (e.g. a USB, a fob or a cellphone) and something they are (e.g. iris, fingerprint). By adding something that users know (e.g. an email ID or a mobile number), the system suddenly has the ability to authenticate and validate the user without requiring a password in a more secure and less cumbersome way (e.g. having to recall the right password from the 100 passwords, mistyping passwords, etc). Moving to a passwordless authentication also lifts the burden off the IT department of having to manage and reset passwords constantly.
Some alternative authentication mechanisms to using passwords are:
Biometric verification: fingerprint readers, iris scanners.
Digital certificates: cryptographic files stored locally on the machine or device.
Multi-Factor Authentication: multiple layers of authentication using “what you have”, “what you are”, “what you know”;
Using social media: Google/Facebook IDs to authenticate with a 3rd party service;
Push Notifications: a token sent to the user’s device/phone.
Barriers to Entry into Passwordless Authentication
A 2021 Cybersecurity Insiders survey found that 48% of companies have not implemented passwordless authentication, with almost a quarter of them still needing convincing about going passwordless. A lack of availability of technical skills was cited by two-thirds of the companies as a reason for the delay in adopting a passwordless environment.
Modern applications and cloud-hosted offerings are more amenable to MFA and going passwordless. But since authentication across the industry has been fragmented (inter-operation across major software vendors), vendors of individual platforms/services find it a challenge to offer all the MFA options that a consuming organization might require to go passwordless themselves.
Existing, legacy applications are not coded appropriately to be compatible with MFA/passwordless. This effort to recode these applications will take time, money and skills. But to truly secure themselves, their customers and their reputations, organizations need to find the resources to completely adopt a passwordless, Zero Trust architecture.
Where to Start
New standards like WebAuthn aid with passwordless authentication by storing sensitive information (“private key”, like a biometric) on the local device, sending only a “public key” to the server. This allows for verification to be done locally with the public key, preventing the need to store information like biometric data or passwords on servers. In this scenario, instead of a password, the local device creates a unique pair of keys, one public (e.g. username or email ID) that is sent to the server, and the other a private key (e.g. fingerprint) that stays on the device. During login, the only thing that happens is that the local device uses the public key to verify, without sending anything out to the server, that the user is actually who they say they are. Since only the private key (that is part of the unique pair) can produce a valid signature, only a device that can produce that specific private key can pass the check and be granted access to the resource.
Foundational Components
There are multiple foundational components required to architect a Zero Trust enterprise including ensuring updated software, Multifactor Authentication, leveraging modern hardware features, and putting in place policies for device trust. The switch to passwordless in a Zero Trust environment, both of which are newer trends, should be phased in, focusing on scenarios that are most relevant from the company’s perspective.
Since the use of passwords is entrenched in organizations over decades, starting by enhancing credentials with additional layers over existing passwords (e.g. MFA) will be a good start.
Define and enforce access security policies including segmenting networks and using application-aware defenses.
Automate credential management and fine-grained access control. Alternatively, use tiered administrative access in which each higher tier provides additional access; but is limited to fewer personnel.
Create procedures to securely reset credentials.
Define one access management provider that can integrate logging into multiple providers (Single Sign-On). Redistribute logging into geographically distributed resources to the cloud or via an on-premises solution that requires additional hardware.
Educating users on the risks of staying with passwords and creating a willingness to switch to a passwordless environment is critical.
Making these happen before the switch to passwordless will gradually reduce users’ dependence on passwords.
Hurdles and an Imperfect Solution
No solution is perfect, hack-proof, or entirely foolproof. You could lose access to a device or leave something logged in that could put your accounts at risk. Even Face ID and Touch ID can be exploited on sleeping or unconscious individuals, or by creating lifelike facsimiles of the biometric data they are looking for.
Perhaps the greatest hurdle will be adoption and convincing most people that they are better off letting go of their passwords in favor of a new way of doing things.
But an imperfect solution is no reason to throw it out altogether. Passwords are outdated and impractical, and it’s time to move on. Two-factor authentication isn’t perfect either, but there are reasons why companies like Apple (and soon Google) mandate it.
The biggest barriers to passwordless adoption remain time and cost. It takes six months to a year in human hours to recode an application, multiplied by the number of applications in use. It’s a tough uphill battle to finish the job in time to get all users protected, but this is a battle that must be fought.