How Zero Trust Architecture is creating a passwordless society

By Jonas Iggbom, Director Sales Engineering at Curity

The world is finally waking up to a passwordless future. For a long time, passwords have been the main form of authentication for both businesses and consumers, however, they have not been without issue or vulnerability. As we move forward, we can now look towards more secure solutions that facilitate the step away from traditional password-based security.

One of the solutions that more and more businesses are looking towards is a Zero Trust Architecture (ZTA), which requires users to be identified more frequently. This removes the implicit trust and forces users to validate each stage of the digital experience. As this becomes more practical it allows room for alternative authentication methods.

Phasing out passwords

Storing passwords in clear text in a data store that applications can easily read and access is a bad idea. As the application will pass the clear text password between different components in the app, this allows for vulnerability that can be exploited by hackers in order to obtain the password.

While the attraction to traditional passwords is understandable, their easy-to-remember model is a hacker’s dream. Modern computing power can easily be leveraged repeatedly to attempt to re-create the encrypted or hashed version of the password. Hackers can use a dictionary to feed the process with common words, making it even faster to crack trivial passwords. While more complex passwords may seem like a solid temporary solution, their lack of memorability leads to people writing these down, and regardless of where and how that’s done, it’s never a good idea. Password managers serve as an alternative, however they come with their own set of issues. A password manager must be protected somehow, usually with…a password. Password managers also typically require an application to be installed. Lastly, the copy and paste process between the password manager and the target application can be tedious.

Moving towards Zero Trust

Utilising a Zero Trust approach requires frequent identity verification. While all security professionals know that authentication determines a user identity, in a Zero Trust Architecture, services and applications need to verify who is requesting access to a resource at every access attempt.Using passwords would not be user-friendly or time-efficient for this ongoing verification. It requires the user to authenticate repeatedly,which is time-intensive, especially if complex passwords are used. Even with a password manager, retrieving the password from storage would require a lot of time and effort with every authentication.

A token-based approach

Tokens provide the robust authentication service needed to underpin a Zero Trust Architecture. The digital equivalent of a stamp on your wrist as you enter a nightclub that allows you to come and go all night long but becomes invalid the next day, tokens enable enhanced security with a seamless experience.

A token-based approach to authentication can handle all the different types of use cases spanning from users accessing resources to services communicating with other services. It is scalable and highly flexible, allowing security architecture to handle both users and services and to vary the type of authentication required based on the value of the resources being accessed. For example, Multi-Factor Authentication may be required to increase security where super sensitive information is involved, whilst Single Sign On will play an important role in other less serious circumstances to ensure a smoother online experience as possible. This makes tokens the ideal method to use when it comes to API security and access control of microservices.

Tokens also enable organisations to calculate the level of confidence in a given authentication, using additional inputs such as time of day, geo location, or risk score. If the score indicates an unacceptable level of risk, greater alerting, reporting and other additional factors may need to be invoked in order to raise the confidence level of the user’s identity.

The use of tokens paves the way for fundamental frameworks for protecting APIs, such as OAuth and OpenID Connect. OAuth provides the foundation, allowing users to grant a third-party website or application access to their protected resources without necessarily revealing their long-term credentials or even their identity. OpenID Connect is an identity layer that sits on top of OAuth and handles identifying the user. Solutions that support these standards are usually straightforward and easy to integrate, providing several authentication options out of the box.

With the common frustrations of forgotten passwords and poor password practices, passwordless authentication introduces a better, seamless experience eliminating the need for users to rely on the increasingly inefficient use of passwords. And with these solutions, the movement towards a passwordless world has finally gained some momentum. Organisations should move towards gradually implementing a Zero Trust Architecture in order to protect their resources, starting with critical resources and determining the requirements for strong authentication to strengthen their security – whilst, importantly, making the transition smooth for end users. That way, we’ll spend less time trying to remember which year we travelled to Mexico whilst furiously hitting ‘reset password’ and more time enjoying the content we’re attempting to access.