Despite their weaknesses, many organizations continue to rely on a fundamentally flawed traditional security approach that exposes their systems, their data, their users, and their customers to significant risk. Yes, I’m talking here about passwords.
While password practices may have remained a security staple over the decades, the proliferation of digital services offers rich pickings for cybercriminals. Using various methods to gain access to digital accounts, cyber criminals typically target passwords to conduct an attack or account takeover. That’s because passwords are easy to steal and share.
In response, organizations are exhorting users to be ever more vigilant and security-aware: urging them not to click on phishing links, to watch out for social engineering attacks and illicit push notifications, to create “longer and stronger” passwords and not to reuse the across application.
It’s a tactic that, unsurprisingly, is proving highly ineffective, as demonstrated by the continued use of stolen credentials to execute successful ransomware and account takeover attacks.
Removing the burden from humans
Regardless of vigilance, the unsophisticated attacks that cybercriminals use are still effective. Combine this with the development of generative AI technologies like Chat GPT, and attackers can develop convincing phishing emails at an unprecedented scale.
They’ve also found ways to bypass first-generation multi-factor authentication (MFA), such as one-time passwords, magic links, and push notifications. Utilizing phishing-as-a-service offerings and open-source phishing kits, they are launching attacker-in-the-middle attacks designed to steal passwords and bypass traditional MFA on an industrial scale. So much so that, according to Verizon, 81 percent of hacking-related data breaches in 2022 resulted from weak or stolen passwords. In other words, today’s hackers don’t break in; they log in.
This should sound alarm bells for organizations everywhere. Alongside customers and employers, today, their extended ecosystems feature contractors, remote and mobile workers, supply chain partners and more. All of whom use passwords to log in and access online services and resources.
Clearly, it’s time to take the burden of secure authentication away from users and do it in a way that renders stolen credentials and MFA bypass attacks useless. Instead, a passwordless and phishing-resistant authentication approach is needed to deliver all the necessary protection to counter the most popular attack vector cyber criminals use.
Zero Trust Authentication (ZTA): the basics
ZTA is a new approach to authentication that eliminates weak authentication factors like passwords and first-generation MFA.
Authenticating users utilize multiple strong authentication factors, including cryptographic passkeys and biometric (fingerprint and facial recognition) capabilities built into today’s modern endpoint devices to validate user identity.
Architected to counter attacker-in-the-middle attacks, where adversaries use a proxy to steal credentials or an access token, ZTA also uses proven asymmetric cryptography to bind a user’s identity with the device. Private keys are stored in Trusted Platform Modules (TPMs or Secure Enclaves) designed specifically for this purpose. This avoids giving attackers access to credentials that can be used to gain access from anywhere. It also eliminates the risk of a valid user logging in from an unauthorised or compromised device, like a customer or contractor. For example, a device located in a hotel lobby or internet café. Zero Trust Authentication also provides “verifier impersonation protection””” to stop the use of an adversary in the middle, proxy-based attack. It leverages techniques to ensure that the service requesting the authentication only originates from the domain an agent can cryptographically prove is valid.
User identity is just one element of the zero trust equation. To ensure that endpoint security controls are configured and working at the time of authentication, ZTA also continuously assesses the security posture of devices for compliance with enterprise security policies. For example, checking whether the lock screen, local PIN code and biometrics are enabled, the firewall is on, and the hard drive is encrypted. They are basically checking whether the device is appropriately secure to be granted access to the service or application.
Zero trust includes incorporating risk signals from other commonly implemented security tools, such as mobile device management (MDM) and endpoint detection and response (EDR). All of which ensures that only authorized and appropriately secured devices can access systems, apps, and data.
Never trust, always verify — and re-verify
The work shouldn’t stop once the user and their device have been authenticated and granted an access token that could potentially remain valid for hours or even days. End users can alter their security settings or get tricked into installing malware that changes these settings and introduces a backdoor to their device.
Solutions featuring Zero Trust Authentication continuously re-assess risk and validate trust in the user identity and their device security. Rather than relying on one-time authentication, ZTA employs ongoing monitoring to check user behavior signals and device security settings constantly. It also interacts with security software tools and solutions — mobile device management, endpoint detection and response and zero trust network access — to capture the risk signals that may indicate a potential problem.
Lastly, ZTA includes the ability for automated responses to respond quickly when an identity or device is compromised by dropping a network connection or quarantining a suspicious device. This cuts potential attackers off before they can access critical systems and data and reduces the risk of them being able to conduct lateral attacks.
It’s time to commit to ZTA
While implementing ZTA may require a cultural shift in an organization’s cybersecurity and identity management approach, shifting to ZTA is becoming an absolute must-have for organizations that want to enable a proper zero trust security framework.
Alongside protecting customers and employees from everyday attacks, ZTA also elevates the security posture of organizations that must comply with the increasingly stringent authentication standards set out by bodies such as NIST. Additionally, today’s ZTA solutions can be rolled out in as little as 60 to 90 days.
The question for organizations now is when, not if, they move to passwordless and phishing-resistant MFA that finally shuts the door on all credential-based attacks.
Image credit: Olivier26/depositphotos.com
Jasson Casey is Chief Technology Officer at Beyond Identity
