Why you’ll never get to Zero Trust with weak authentication
The security of our digital IDs has never been more important: from cloud services that have kept businesses functioning through the rapid shift to remote working, to providing access to essential consumer services. Yet businesses still put their users and customers through undue suffering, leaving themselves exposed to security compromises.
Username and password authentication is still one of the most widely used methods, yet they fail on both security and user experience. Remembering passwords is painful and solutions such as MFA and password vaults not only create extra friction for the user but are not as secure as they seem. Password compromises are the number one cause of hacking related breaches. When it comes to securing our digital IDs - it is time for a rethink.
We invited a group of technology VPs and product directors to discuss their organisation’s approaches to identity protection and more about:
- The right way to authenticate
- Frictionless Zero Trust approaches
- The culture requirements for effective security
Rela8 Group’s Technology Leaders Club roundtables are held under the Chatham House Rule. Names, organisations and some anecdotes have been withheld to protect privacy.
About Beyond Identity
Beyond Identity is the first and only company to provide passwordless identity management. The Beyond Identity team is composed of cyber security and identity management professionals who are passionate about restoring digital trust and building a fundamentally secure way to authenticate and authorise users while protecting privacy.
How did we get here?
Our lives are becoming increasingly dominated by digital services. Everything needs an account, and everything requires some form of login credentials. This digital boom was only hastened in the wake of the COVID pandemic with the rise of new digital services and hybrid working. However, alongside this proliferation of digital credentials comes considerable friction and new attack vectors.
Managing these new challenges is no small task and many organisations are looking to rethink their approaches to identity protection.
The A in MFA
Businesses have quickly learned that it is no longer enough to simply ask for a username and password. Strategies such as changing passwords regularly proved ineffective and taxing for users, and where users were taxed, vulnerabilities emerged. Businesses found that longer, more complex passwords that didn’t require changing proved better for the workforce. By focusing on easy adoption, it made it easier for developers to enable security right.
Whilst offering a more frictionless solution, complex passwords alone are still not enough for effective security. Stolen identities are still the cause of the vast majority of cyber incidents, making the implementation of Multi Factor Authentication critical for modern businesses. MFA presents no small amount of friction for users but moving towards greater security and Zero Trust requires that a single point of authentication can never be trusted. MFA implementation could be limited to only high-risk elements or identity requirement profiles, but the challenge remains – how can MFA be made easier? Fortunately, technology is already well on its way to solving this problem.
Frictionless Zero Trust
The core tenet of Zero Trust is simple – never trust, always verify. To avoid user friction, businesses compromise their Zero Trust for ease of use, but modern MFA doesn’t have to require friction. Secure biometrics are more easily accessible, and high levels of trust can be quickly ascertained with key cryptography. By quickly establishing trust through more secure means, the friction of MFA can be mitigated. If businesses were able to shift the friction of authentication onto the user’s machines however, then frictionless approaches become a reality.
If MFA verification sat on the user machines, any number of checks could be put in place to quickly establish a high trust authentication without troubling the user once. When and where is this machine connecting from? Is this expected? Are certain device settings on? If any of these checks fail, then organisations can fall back on traditional MFA.
To this end, businesses have also started leveraging active monitoring to develop more flexible, holistic approaches to verification. For example, if a user was travelling to country that was considered high risk for device theft or confiscation, security measures could be actively adapted to account for that, in turn allowing for less friction within more secure environments. Seamless and frictionless authentication should be the goal for most users, but ultimately, friction should always be placed where it is needed.
Protecting your ‘home’
When thinking about where you need friction, what should be most protected and how, it is helpful to consider your security as if you were protecting your home in a bad neighbourhood. Putting all your effort into protecting your front door doesn’t mean a lot if your ground floor windows are open. In turn, ensuring that high walls are placed around your house isn’t helpful if someone manages to get beyond those walls to find your home unlocked.
The obvious desire is to protect everything with high walls and locks on every door, but would you be able to exist in a home where every door needs to be unlocked and locked behind you? Instead, organisations need to focus on what they want to be protected most and be aware of what windows and doors are open.
A company’s willingness to embrace Zero Trust and the security measures that come with it all comes down to culture. A more mature security culture makes it easier to implement the less user-friendly measures as the importance behind it is understood. Without a strong security culture, security teams will face constant pushback from users and business leaders for impeding the business.
Security teams need to work with business leaders to effectively communicate the risk profile and come to an agreement on how security and ease-of-use will be balanced moving forward. Getting business executives on-board is essential for the top-down culture shift required for modern security implementations.
The path forward
As companies move off-prem and onto cloud platforms, many are starting their Zero Trust journey. There has always been a trade off between user experience and security, but modern technology is making great strides towards enabling frictionless yet secure experiences. That said, there will always be a requirement for some degree of friction within a business and understanding where that needs to be is vital to balancing user experience with security.
Zero Trust security isn’t something that can be solved with a flick of a switch, it will take time and investment. So, while working towards Zero Trust and fostering a culture of security within your business, it is important to remember that even skilled hackers can be effectively frustrated with good identity management, detection, system hardening and network segmentation.