This year’s KuppingerCole European Identity and Cloud conference saw several talks about Zero Trust Models and Passwordless Authentication.
No longer in cyber security is it enough to lock your front door and all of your windows, now the bad guys are ‘coming down the pipes’!
To use X-Files parlance ‘Trust no one’ — not even if they are inside your perimeter. Continuously verify and authorise users’ identities, remembering that verification simply by machine identity (e.g. IP address through a VPN) is no longer sufficient. Good Identity and Access Management (IAM) is critical in providing the policies that drive these trust decisions.
Bill Gates was right!
In 2004, Bill Gates said, ‘passwords cannot meet the challenges of keeping critical information secure’. And he was right. It is estimated that passwords account for 81% of all data breaches.
After all, a password is a ‘shared secret’. These are often hard to remember, can be phished, stolen, guessed, and brute-forced. And for that matter – do you really trust the service/identity provider to ‘do the right thing’ with your password? Facebook and Google all have a previous history in storing passwords in plain text, while others have used weak hashing algorithms without salts.
Even multi-factor authentication is flawed if only weak factors are used. For example, one-time passwords (OTPs) can be phished, SMS can be intercepted, and social engineering can be exploited to swap phone numbers.
A world without passwords
In 2013, the Fast IDentity Online (FIDO) Alliance was launched to provide strong universal 2nd factor (FIDO-U2F) and single factor passwordless (FIDO2) authentication via open standards. Importantly, mainline browser support for both FIDO U2F and FIDO2 passwordless has improved considerably in the last few years. As of 2021, only Firefox are left slightly behind the curve.
Passwordless you said? Abstractly, passwordless is based on public-key cryptography. The public-private key pair being managed by a compatible authenticator.
Broadly speaking there are two types of authenticators; platform authenticators and roaming authenticators. Platform authenticators include implementations of the Trusted Platform Module standard or vendor specific secure subsystems such as the Secure Enclave from Apple or Titan from Google. Roaming authenticators include USB, NFC, or Bluetooth devices such as a hardware security key.
The private key never leaves the authenticator. The public key is sent once to the relying party during the registration ceremony. Authentication requires the user to verify their identity to the authenticator via PIN or biometrics, and the authenticator to sign a challenge (client-side) using the private key. The signature is verified by the relying party using the registered public key. Importantly, if the public key were compromised, it cannot be used to perform the authentication ceremony because it cannot sign challenges: for that, you need the private key.
Putting out fires
Of course, a move to a passwordless model is not without its own security challenges. Challenges such as password-based account recovery, preventing man-in-the-middle attacks during registration, or logging in from different devices all need to be considered. That is, however, the topic of another day and another blog post!
In a world where we should trust no one, it seems strong authentication such as passwordless systems are key to building zero trust models.
Want to learn more? Check out our blog on NCSC’s guidance for Zero Trust Design Architecture Principles. You can also learn more about Zero Trust and Remote Access, with thanks to Jisc’s Cloud and Cyber Security teams.