Identity has rapidly become an organization’s greatest cyber vulnerability. It’s estimated that 61% of all data breaches in 2022 involved stolen or hacked credentials, while a study by the Identity Defined Security Alliance found 84% of participating organizations had experienced an identity-related breach in the previous 12 months.
With identity in the spotlight, and the major vulnerability that passwords provide, the knee-jerk reaction from organizations has typically been to implement multi-factor authentication (MFA). But traditional MFA solutions rely on factors that have become very easily bypassed by threat actors, often at scale, creating demand for a new subcategory of authentication that removes all the weak factors and incorporates zero trust security principles.
The Rise of Zero Trust in Cybersecurity
In the twelve years since its inception, zero trust has transformed a cybersecurity nice-to-have to a standard best practice. This evolution has only been cemented by the U.S. federal government’s firm stance on zero trust. In May of 2021, following high-profile data breaches at Microsoft, SolarWinds, and Colonial Pipeline, the Biden Administration signed an executive order instructing government agencies and third-party contractors to implement zero trust architecture, cloud services, and MFA within 180 days.
Less than a year later, the Office of Management and Budget (OMB) doubled down on this sentiment by issuing a clear roadmap for government agencies to transition to zero trust security models and phishing-resistant, passwordless MFA by 2024. This second federal announcement highlights a need for a new approach that merges powerful phishing-resistant MFA with a zero trust mindset to function as the foundation of reliable cybersecurity for organizations across industries. Enter Zero Trust Authentication.
The Convergence of Zero Trust and MFA
Zero Trust Authentication fills the gaps left by first-generation MFA solutions that rely on easily phishable factors like passwords, push notifications, and one-time codes. It ensures that all requests to access information and assets are, without exception, intensively scrutinized based on pre-approved user authentication and device trust policies. Any access that is granted is limited to the specific assets required to perform authorized tasks and can be rescinded should user behavior or device security checks fail at any time during the session. In short, Zero Trust Authentication is a foundational ingredient of any zero trust security architecture.
Organizations’ security teams can implement zero trust principles only if they can verify with near certainty the identities of the users and the security of devices requesting access to enterprise resources. Without reliable authentication, they can neither prevent illegal unauthorized access nor understand what resources should be available to the requestor. To be considered a true Zero Trust Authentication solution, the solution should meet seven critical requirements:
- Passwordless - Where there is a password, there is an attack vector for threat actors to exploit, especially as password fatigue runs rampant. Zero Trust Authentication eliminates the use of passwords or other shared secrets which can easily be stolen from users, hacked from databases, or captured on networks.
- Phishing resistant - By utilizing phishing-resistant authentication factors like private keys and biometric information, threat actors have no opening to obtain codes, magic links, or other weak authentication factors through strategies like phishing campaigns and adversary-in-the-middle attacks.
- Capable of validating user devices - Zero Trust Authentication ensures that requesting devices are authorized to access information assets and applications and are bound to an approved user.
- Capable of assessing device security posture - By checking that all appropriate security settings are enabled, and security software is updated and actively running, Zero Trust Authentication can seamlessly determine whether a given device complies with security policies.
- Capable of analyzing many types of risk signals - The explosion of cyber threats in the past five years has created a diverse array of risks. Zero Trust Authentication can ingest and analyze data from endpoints and security and IT management tools, allowing a policy engine to assess risks based on factors like the security posture of devices, user behavior, and the status of detection and response tools
- Continuous risk assessment - A user’s security posture can suddenly change at any point during a session, whether due to account takeover attacks or a stolen device. Through continuous assessment, Zero Trust Authentication can measure and identify risk throughout a session, rather than relying on the initial one-time authentication. Should malicious activity be identified during the user session, the device can immediately be shut down and quarantined until investigation. These automated processes allow for a frictionless user experience by removing the need to constantly ask users to reauthenticate their identity throughout their session.
- Integrated with the security infrastructure - Zero Trust Authentication requires a holistic approach. These tools can integrate with a rich variety of products in the security infrastructure to continually enhance risk detection, accelerate and streamline responses to suspicious activity, and improve audit and compliance reporting.
The Future of Identity Security: Zero Trust Authentication
Zero Trust Authentication is a response to the overwhelming demand for phishing-resistant MFA that aligns with zero trust security models. In a challenging threat landscape where even the most rudimentary threat actors are effortlessly bypassing traditional MFA factors, organizations require a new approach that provides a comprehensive, low-friction approach to security. Zero Trust Authentication combines powerful risk scoring with continuous authentication to ensure every digital touchpoint is verified, delivering a higher level of protection against threat actors. With the deployment of a single solution, organizations can effortlessly improve their zero trust compliance and overall security posture without cluttering their technology stacks. Zero Trust Authentication is clearing the path toward reliable, seamless, and holistic identity security.
About the author: Jasson Casey is currently the Chief Technology Officer of Beyond Identity. He has previously served as CTO of SecurityScorecard, VP of Engineering at IronNet Cybersecurity, Founder and Executive Director of Flowgrammable as well as Compiled Networks, and VP of VoIP Product Development at CenturyTel, among other technical and executive roles.
