Not very long ago, the term authentication was synonymous with a password or multi-factor authentication (MFA). Setting up a firewall around a network's perimeter was a primary expectation for IT. However, today's tech ecosystem is complex and stretches across distributed workforces with BYOD policies and multiple cloud environments. The ability to recognize and authenticate identities of people, processes and devices throughout the enterprise using traditional methods is challenging at best.
If not properly implemented, it is loophole hackers will exploit.
Where there is a password, there is a risk of password compromise. To create a layered defense, many organizations lean towards MFA to make unauthorized access more difficult for bad actors. The idea that MFA is more secure than passwords led to its widespread adoption; however, MFA is highly vulnerable to compromise as well.
Passwords and MFA may have provided sufficient security for enterprises in the past, but it's clear that today's threat landscape requires a more robust solution. Today’s enterprises require a solution that is easily deployed and that effectively secures the perimeter-less enterprise. The gold standard for authentication and encryption is digital certificates based on public key infrastructure (PKI).
Passwords Give a False Sense of Security
Did you have a clubhouse or fort when you were young, and for someone to enter, they had to tell you a secret password? Friends would whisper the password to each other until all your approved buddies could gain entry. It may have started that only you (the guard) and one friend had the password, but it would not be long before it was known throughout the neighborhood. Likely your fort was infiltrated by little brothers and sisters who somehow learned the password, and you would have to change the secret. This scenario would play out again and again.
That was a fun child’s game, though highly ineffective from a security perspective.
Using passwords for authentication is the same idea. For passwords to work, you must have a shared secret: something that is known to both parties. That creates an inherently dangerous problem on a few fronts. For starters, people tend to forget passwords. To make passwords easier to remember, users may store their passwords in a vulnerable file, create passwords using a consistent pattern, or use the same password again and again. All kinds of problems stem from this. If a password is uncovered on one service or from an unprotected spreadsheet, a bad actor can use that same password to access a high-value network, such as a corporate service or your bank account.
Not only are passwords easy for today’s hackers to steal, but they also provide a horrible user experience and are a costly help desk burden. And that is just the human side of the problem.
Password security suffers from a legion of technical problems. For example, if your machine has been infected with key logger malware, the malware can gather all typed data, including passwords, and send them back to the bad actor. Captured passwords are sold and purchased in the underground economy, which can lead to all sorts of mayhem.
Password-based authentication is easy to implement and pervasive but is a very weak form of authentication.
Multi-Factor Authentication or Tell me Two Secrets, and I’ll let You in
MFA is largely considered a replacement for passwords; however, most methods of MFA still require a password. In addition to remembering a password, users must doubly authenticate their identity with a token-based approach. This is often in the form of mobile device push notifications (i.e., “Did you just log in near Metropolis?”), automated phone calls, or SMS methods that prompt one-time passwords (OTP), thereby increasing the burden on users. But, in the name of cybersecurity, that is an acceptable ask. Right?
Perhaps. If it solved the risks associated with passwords.
MFA is still prone to password interception, and even with the added layer of authentication, it does not solve the risks associated with passwords. Even NIST and the FBI warn against an MFA approach.
Let us look at text messages as the second measure to authenticate. Bad actors can simply port a phone number to a device they control and gain access to OTPs. Compromised SMS-based authentication methods are easy to steal for sophisticated attackers and provide little additional security vs. password-only approaches.
Push notifications and non-SMS validations don’t fare well either. Attack methods are numerous and evolving. For instance, a bad actor can use convincing social engineering methods that result in users downloading malicious apps with screen recording capabilities. Or consider what are known as “man in the middle” attacks where users believe they are entering their information on a legitimate website but are traversing through a reverse proxy controlled by a bad actor who can then steal the session token to the legitimate site’s server.
Neither passwords nor MFA provides adequate defense, and both methods put the burden of authentication on the users.
Defend Your Digital Perimeter with PKI
There is no stronger, easier-to-use authentication and encryption solution than the digital identity provided by PKI. Rather than secret-sharing, PKI uses certificates that do all the work behind the scenes, thereby eliminating the burden on users and the human-error accompaniment.
PKI works by using an asymmetric cryptographic key pair consisting of a private key and a public key. These keys function as a pair using incredibly complex cryptographic algorithms to protect identities and data from unauthorized access or use. The public key consists of a long string of random numbers and is used to encrypt a message. This encrypted message can only be decrypted by the associated private key, which is also made of a long string of random numbers. This private key is a secret key and is never shared. The key pair is mathematically related so that whatever is encrypted with a public or private key can only be decrypted by its corresponding counterpart.
The private key is embedded inside the device on which it sits: on every laptop, phone, IoT device, server, email client, and task. Whenever possible, the private key is stored in a TPM or hardware security module, protecting it from discovery even if the device is infected with malware or compromised by a hacker. Additionally, the private key would take decades to brute force, and the result is that attack attempts fail.
The Connection Between Security and Usability
There is a dynamic between security and usability: the more you try to up the ante on password-based security, the worse usability craters, and the more user exasperation and help desk support you take on as a company. Enforcing strong random passwords also backfires, with users being more prone to write the passwords on a sticky note or save them in a file on their machine.
The best security investment is one that is easily deployed and used by employees. Using PKI, authentication is both ironclad and seamless to end-users. Digital certificates can be easily deployed to every employee device and system using automated tools. Wouldn't it be nice not to have to type in passwords and instead be automatically authenticated and granted proper access? PKI takes us from the stone age of usernames and passwords to a better user experience in terms of authentication.
Alan Grau is VP of IoT, Embedded Solutions at Sectigo, a commercial Certificate Authority and provider of purpose-built, automated PKI solutions. Alan has 25 years of experience in telecommunications and the embedded software marketplace. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security. Before founding Icon Labs, Alan worked for AT&T Bell Labs and Motorola. He has an MS in computer science from Northwestern University.