FIDO - Leading the Zero Trust Passwordless Authentication Evolution

Originally published by Thales here.

Written by Gregory Vigroux, PKI Product Line Manager, Thales.

It’s no secret that passwords have become one of the weakest links in enterprise security. Credential compromise is the leading cause of cybercriminals’ ability to gain access to enterprise resources. Zero Trust approaches are crucial in helping modern organisations achieve better security outcomes.

Zero Trust Security

It has recently become a hot buzzword, but what is Zero Trust Security? It’s a new model of security that requires explicit verification for everything, both inside and outside an organisation. The goal of Zero Trust is to combat new threats by following three distinct principles:

• Explicitly verify everything.
• Implement policies based on a “least privilege” access model.
• Every element of a system can be breached.

Ultimately, Zero Trust requires you not to trust anything active within your IT environment, not from a position of paranoia but of taking action based on a devotion to security. Nothing can be trusted.

A Zero Trust approach starts with Multi-Factor Authentication (MFA). A surprising number of organisations have not yet implemented an MFA requirement to access systems and data, yet this is the first step to a true Zero Trust journey.

The Role of Passwordless Authentication

It has become easier than ever for nefarious actors to access valuable company data. While password guessing and brute force attempts are still a risk, cybercriminals no longer need to go through the trouble. They can simply purchase credentials on the dark web and log in as a trusted user to access enterprise resources.

Passwordless authentication was developed to combat phishing attacks, a crucial risk that cannot be ignored. In 2021, a shocking 83% of organisations reported that they had experienced some form of a phishing attack, and one-third of phishing emails are opened by recipients. It is estimated that six billion phishing attacks will occur in 2022.

Microsoft’s Digital Defense Report details this explosion of phishing attacks. End-users open emails or links from nefarious parties, leading to websites that trick users into supplying their credentials and leaving them open to data theft.

Passwordless authentication will aid organisations in achieving a Zero Trust security approach by removing this weak point. Protecting credentials with biometric or secured devices eliminates the risk of human error related to passwords. Textual passwords are replaced with authentication through more sophisticated means such as smart cards.

Where Does FIDO Fit into the Equation?

In the scheme of passwordless authentication, Fast Identity Online (FIDO) was designed from its inception to remove the need for passwords from cloud applications.

Use-cases should always be considered when implementing a security measure. FIDO is particularly valuable when you need a flexible, secure, and smart solution. It supports multiple endpoints, diverse user profiles, and protects numerous assets and resources. FIDO uses physical devices, including USB-connected eTokens, and Smart Cards.

When used in conjunction, Microsoft (Windows Hello) and Thales (contextual and MFA) provide a high level of passwordless security to enterprise environments. Microsoft can delegate authentication to Thales, and, depending on the application or resource your user wants to access, you will be able to select the right authentication method.

How do you Kick Off the FIDO Journey?

Organisations face some challenges when implementing Zero Trust, and it’s crucial to be aware of them before beginning the journey. Microsoft has released a project guide to help organisations get started.

Most organisations have MFA implemented for remote and knowledge-based users. Setting these protocols took time and resource investment, and organisations should not be concerned that they must scrap existing approaches to adopt FIDO.

Recommendations

After identifying your organisational motivations for implementing FIDO, develop your use cases. Understanding your users and their needs will help ensure that you determine the solution that not only suits your organisation, but supports a positive user experience.

If you’re using an on-premises Public Key Infrastructure (PKI) for Windows logons, for example, you can use a combined device from Thales which will enable FIDO security for cloud services. FIDO is a very good extension for PKI.

FIDO is a great solution for physical and logical access. The same smart card can be combined to access network systems, software, and buildings. As FIDO is very easy to deploy for IT departments, it will be easy for users who are accustomed to using an access badge to enter offices and secured spaces. Cards are easy to use and carry, and convenient since they support FIDO, PKI and physical access.

Why FIDO?

FIDO adds Zero Trust security measures and helps to build a robust approach to protect against phishing and other attacks related to user logins. FIDO is particularly attractive for first-line workers who need access to various systems and building areas, and for departments where shared workstations are used. Military, healthcare, and information-centric organisations are using FIDO for this mixed-use purpose to great success and peace of mind.

In an era where remote and hybrid work environments are popular, VPNs are no longer the only access point for logging onto sensitive corporate applications. Passwordless authentication offers a stringent method to ensure access to both on-premises and cloud-based systems are safe from attackers.