Blog

You are currently viewing Zero-Trust and the importance of a passwordless strategy

Zero-Trust and the importance of a passwordless strategy

Zero-Trust is a security framework that defines how users inside and outside an organization must be authenticated. This means that in an organization, measures must be taken continuously to assess when and how users can access applications and data.

This is always an uphill battle because security comes at a price most of the time: convenience. Especially when it relates to passwords. Passwords are an essential part of a Zero-Trust concept so the goal should be to balance your Zero-Trust with convenience for users, limiting inefficiencies throughout the organization because of security. 

Security departments/System admins regularly receive password-related questions from users. Some frequent questions: 

  • Why do my passwords have to be this complicated? 
  • Why do I have to change my passwords every 14 days? 
  • Why can’t I use the same password? 
  • I forgot my password: can you reset the password? 

It is understandable that these questions are asked and the work for a user to handle all the additional efforts that come with strict internal password policies can be excessive. Often it leads to users that are getting annoyed when they must change their password again, and they are right. Passwords make a Zero-Trust program slower, more expensive, and less effective.  

In this post, I want to show you how you can improve efficiency by eliminating passwords while keeping your Zero-Trust framework in check. I will explain how innovative technology (FIDO2) works and why this can be an answer to all the challenges that organizations are currently dealing with regarding passwords. 

The key role of passwords in Zero-Trust 

Modern technologies verify the identity of users and strive to maintain system security. The Zero-Trust (ZT) framework itself is based on one concept: trust no one. One of the key reasons for a lack of trust is passwords. 

Passwords are shared, stolen, reused, and replayed. A password is the favorite target of a cybercriminal. All kinds of products have been developed to compensate for the shortcomings of passwords and although passwords are not the only reason for a reduction in trust, they are the most expensive. The following tools are used to protect a password-based environment: 

  • Phishing Awareness Training programs 
  • Endpoint Protection 
  • Multi-Factor Authentication (MFA) 
  • Automated Attack Prevention and Detection tools 
  • Fraud Detection Tools 
  • Password Managers and/or Password Training 
  • Privileged Access Management 
  • Identity Governance 
  • Risk-Based Policy Management 
  • Credential-Based Threat Intelligence 
  • One or Many Identity Providers 
  • Device Visibility & Analytics 

Most companies already have more than one of these tools up and running to get this ZT Framework going but this does not eliminate the password problem from the equation. Passwords make it even harder to get a ZT Framework going: a password-based environment negatively impacts a Zero-Trust program. This is because they require additional security measures. It is one of the main problems for most organizations: they still depend heavily on passwords and their shared secrets.  

Therefore, organizations should try to completely remove passwords from their ZT-Framework. This sounds a bit daring if you state it this boldly but when you start diving more deeply into a passwordless Zero-Trust Framework it will make more sense. In the remaining part of this blog, I will show you how you can work towards a passwordless Zero-Trust environment, based on current technological developments: WebAuthn and Client-to-Authenticator Protocol (CTAP).  

WebAuthN 

WebAuthn is an API (Application Programming Interface) that integrates strong authentication into applications. It has been integrated into all leading browsers and platforms based on the new World Wide Web Consortium (W3C) global standard for secure authentication. This means that browsers and platforms that support WebAuthN can be accessed by using authenticators such as security keys or built-in platform authenticators such as biometric readers. Examples of this are Facebook, Instagram, Microsoft, Google, and Apple.  

WebAuthN process 

During authentication, users verify their identity by demonstrating that they have a private key to the relying party/web application/web browser. The relying party may also use attestation to ensure that the authenticator is a valid authentication product from a trusted manufacturer. 

The authenticator’s private key is safely stored on the computer and cannot be stolen. The public key, on the other hand, is sent to the server. Under the challenge-responses-based protocol, users must prove to the server that they have the private key if their identity is checked by the system. 

Client to Authenticator Protocol (CTAP) 

CTAP is a specification describing how an application (i.e. browser) and operating system (i.e. platform) establish communications with a compliant authentication device over USB (Universal Serial Bus), NFC (Near-field communication), or BLE (Bluetooth) communication mediums. 

CTAP is split into CTAP1 and CTAP2: 

  • CTAP1 enables an external and portable authenticator (such as a hardware security key) to interoperate with a client platform (such as a computer).  
  • CTAP2 is responsible for the external factor, like a security key (link to security key page in the glossary), communicating with the website or account using the authenticator. An authenticator that implements CTAP2 is called a FIDO2 authenticator (also called a WebAuthn authenticator). If that authenticator implements CTAP1/U2F as well, it is backward compatible with U2F. 

The FIDO Alliance and FIDO2 

The FIDO (“Fast Identity Online”) Alliance is an open industry association that launched in February 2013. Its stated mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. In collaboration with big tech companies like Microsoft and Google, they developed FIDO2: a passwordless solution based on the two previously described ingredients: WebAuthN and CTAP. The one (WebAuthN) needs the other (CTAP) to get a “closed-loop” hence creating a bulletproof security solution.  

FIDO2 works like a “chain-of-trust” where you know you can trust a certain device because it already has been logged in. This means that you do not rely on something you know, which can be shared, phished, or distributed instead you rely on something that you have in your possession that proves that you are you. For this, you can use a phone or hardware that uses 2FA (2-factor authentication) security keys that support FIDO2. 

Putting FIDO2 into practice: working passwordless 

Modern phones do not use passwords to get access. You use a PIN or biometrics (FaceID or a fingerprint) to get access to the data on your phone. Facebook has the functionality to log in by the FIDO2 principle.  

Now let us take Facebook as an example. You need a username and a password to log into Facebook. In the past, many usernames and passwords have been stolen which meant that people could pretend to be you. With FIDO2 this is almost impossible. 

  • The username is replaced by your device: telephone or authenticator key that is registered into your account. 
  • Password is replaced by physically access through your telephone or authenticator by confirming login with a PIN or biometric signature on your device (FaceID or Fingerprint) 

This means that no Username and Password can be leaked because it does not exist.  

Now imagine a cybercriminal wants to get access to your Facebook account. This person cannot obtain your credentials through leaks: a username and a password combination do not exist. Instead, this person needs to have your physical device/authenticator key and your PIN or biometric signature to get access. Although this is possible, the chance that this happens is dramatically reduced.  

This also makes the need for complicated passwords obsolete. Microsoft provides a clear diagram that shows the security of different authentication methods and their convenience: 

Security vs Convenience Diagram

How I integrated a Passwordless approach in my personal life 

I have been slowly integrating passwordless functionalities into my daily routines: 

  • I installed Microsoft MFA, approving access through my telephone by confirming access requests with my fingerprint. My e-mail account has been set as passwordless so when I want to access my mail I enter my e-mail account and after that, I need to confirm it with the Microsoft App on my telephone 
  • I integrated my bank card with the wallet on my phone. This is a classic example of working passwordless and how convenient this is. To pay a device is required (1) and the second step of this 2FA process is accessing your Apple Pay wallet and confirming payment with your PIN, FaceID, or fingerprint. I always use a biometric signature myself to avoid someone can obtain my device and stealing my PIN by (for example) shoulder surfing. I have not used my physical bank card to pay after I switched to payment by NFC.

Tips/advice and why I prefer a biometric signature over a PIN  

Personally, I would use a biometric signature instead of a PIN. When you use a PIN it is important to be aware that people can still get access to your information if they obtain your device and after that get access through a code or device pattern by obtaining this from you personally. This can be done by social engineering. Tips from my side when switching to working passwordless:  

  1. Always keep your device close and immediately disable it when you lose it so nobody can get access. Set up a small plan that can be executed immediately in case you lose your device. Do a “dry run” to make sure that this works.
  1. User a biometric signature instead of a PIN. 
  1. In case you want to use a PIN, always look if someone is close to you when entering your PIN. 
  1. Log in with your fingerprint instead of a PIN (it prevents someone from spying for your PIN if you log in with a fingerprint). 
  1. Install the Microsoft Authenticator on your device and set up a free Microsoft account. After that, configure your account as “Account without password” in the Extra Security Section of your Microsoft Account. If you already have a Microsoft account, make sure to select the “Account without password” option. One warning: phishing by mass spamming MFA pop-ups is getting more popular. So if you receive a pop-up of your authenticator, asking for a confirmation you should count to ten and think very hard if you sent the request. You would not be the first victim that runs into this trap.
Microsoft Passwordless Sign In Request

Final Thoughts

The major big tech companies (Google, Microsoft, and Apple) are working hard to deploy a passwordless solution. To do this, they all cooperate with FIDO2, and Google already announced that they will fully support working passwordless over this year (2022).  

I hope that I could provide some inspiration to everyone by sharing the basics of a passwordless ecosystem and how you can integrate this into your own personal life. If you instate Zero-Trust in your personal life first by starting a passwordless ecosystem in your own personal life, it is easy to adapt this on an organizational level as well: the concept is the same. 

Feel free to contact me if you have any questions or if you have any additional advice/tips about this subject. If you want to keep in the loop if I upload a new post, do not forget to subscribe to receive a notification by email. 

And remember that the only people in the world who love passwords are hackers. 

Tags: , , , , , , , , , , , , ,

Gijs Groenland

I live in San Diego, USA together with my wife, son, and daughter. I work as Chief Financial and Information Officer (CFIO) at a mid-sized company.

Leave a Reply