By David Rosenthal
In IT, there is always something new to learn, a new framework or technology to master. Some are more abstract than others, with benefits are use cases that are ill-defined. But some are incredibly serious topics that every organization hoping to optimize its processes and protect its digital assets and human resources needs to get up to speed with… and fast.
One such term is Zero Trust, which, simply put, is a security posture where absolutely no one — not the users or the devices they are connecting to you with — is trusted. Everyone is suspect until verifiably proven otherwise. Across industries, Zero Trust initiatives are being rolled out to safeguard the sensitive data and networks of businesses from globe-spanning enterprises to SMBs with just a handful of employees.
One of the major impediments to moving to a Zero Trust model are outdated authentication methods, such as traditional passwords. Switching to passwordless authentication will be a necessary advancement on the journey to Zero Trust. Fortunately, several solutions already exist, such as hardware authenticators, like those from Yubico, that are helping organizations update their security posture to address the modern threat environment.
Trust No One, Verify Everyone
Zero Trust sounds like you don’t have faith in your own team. That’s not entirely accurate, but, in truth, skepticism must be the order of the day. Cyber attackers have developed incredibly sophisticated means of spoofing identities or stealing legitimate credentials. When their attacks are successful, system administrators don’t find out until the damage is already done. In a security landscape like that, trusting no one is simply prudent.
Every user who enters your network or logs into an on-premises system must be scrupulously validated, and even after they are in, monitoring agents must track their movement and continually scan all endpoints. Zero Trust also requires expiring sessions after set periods and demanding frequent re-authentication. That’s the only way to ensure prying eyes and unauthorized users are denied access.
Security protocols like those might have been commonplace at CIA headquarters for some time, but the world of business is still getting used to the idea that they need to protect themselves so comprehensively. Many chafe at the idea. Multi-factor authentication, frequent re-authentication, managing long lists of complex passwords, and constant oversight to manage security can make for a painful user experience.
But it doesn’t have to. There is a better way that both removes many of the headaches of password-based security and removes many of its vulnerabilities. The future of security definitely isn’t a password scrawled on a post-it note on your monitor, in fact, it doesn’t have passwords at all.
The Era of the Password Is Fading
Passwords are the most common form of authentication today, yet they are unavoidably vulnerable to Man-in-the-Middle (MiTM) attacks, and stolen or weak passwords are linked to 80% of all data breaches, security lapses that have huge financial and reputational implications for any business.
A password is a shared secret. The user, of course, knows their password (usually!) but so must the validation service that matches the user’s password to one in its own database. Every person or system with a record of that password is a potential entrypoint for an attack.
For years, security professionals have admonished users for reusing passwords, using personal information in their passwords, or using short and simple passwords that can be cracked with brute force hacks. But today, even very long, totally random passwords offer diminishing protection. That’s because of the growing prevalence of highly sophisticated phishing attacks. Even the best password won’t protect you if an attacker tricks you into telling it to them.
It’s with good reason that passwords are so common in security, however. For all their limitations, they are incredibly useful. For one thing, they are truly portable and highly compatible and interoperable. Whatever it is you are trying to access, chances are a password can be deployed to open that door. And it’s a mature technology that users are already familiar with and use both at work and in their personal lives.
Granted, many users have trouble remembering their passwords, and password resets are one of the biggest wastes of employee time and technical resources in IT, but they are still a fundamental component of most security systems. Not for long, however.
Yubico Offers a Better Way
The passwordless future is being made possible thanks to hardware authentication devices like the YubiKey a U2F (Universal 2nd Factor) and FIDO (Fast IDentity Online) protocol-compliant security solution developed by Yubico, a private company based in Palo Alto, California that is not only manufacturing the devices themselves but taking on a thought leadership role in promoting open security standards like FIDO.
Yubico wasn’t the first company to offer a passwordless authentication system. Many websites and digital services offer passwordless SMS or email verification that send OTP (one-time password) codes whenever users login. So-called ‘email magic links,’ emailed links with a unique token that allow users to login without a password, are also fairly common.
Though solutions like those make it easier for users because they no longer have to manage long lists of passwords, they do little to prevent MiTM phishing attacks. A hacker with access to its target’s email or phone messages can still gain access to a variety of protected networks.
Yubico’s hardware solution is different. It’s a physical device that the user (and only the user) possesses. Yubico has partnered with most of the largest technology companies in the world, including Google, Microsoft, and Apple, to integrate its standard across virtually every major platform on the market today. That means no new or proprietary software is required for an organization to migrate to a Yubico system. It works natively with everything you’re already using, including all leading Identity and Access Management (IAM) solutions:
- Azure Active Directory
- Okta
- Duo
- Ping
The benefits of switching to a passwordless, hardware authentication device like a YubiKey transcend to better protection. It’s also a low friction, high quality user experience. Key advantages include:
- Simple scalability
- Ease of support
- Prevention of MiTM phishing attacks
- Origin binding
- Seamless integration with desktops, laptops, smartphones, and tablets
- Multiple form factors and input types to fit every need (USB-A, USB-C, Lightning, NFC)
- One device for trusted login on multiple services and networks
- User self-service for provisioning, registration, and account recovery
- Fast deployment
- High durability with low maintenance (no screens, batteries, or moving parts)
To date, Yubico has deployed over 10 million YubiKeys to some of the most hardened and risk-averse organizations in the world. Users like them because they can login securely four times faster than standard 2FA with a password and there are no passwords to remember or manage. IT administrators love the change because they are associated with a 90% reduction in help desk calls from users having password issues.
And now, Yubico offers a biometric-based solution as well, the YubiKey Bio Series, which adds a fingerprint reader to their key for another layer of protection. Software will always be vulnerable to hackers and malware. Yubico solutions store authenticating information on a separate secure chip with no connection to the internet. Hackers can’t steal what they can’t connect to.
Start Your Journey to Zero Trust, Passwordless Hardware Authentication
With so many benefits and so few drawbacks, there really isn’t a good reason for any organization to stick with the old, insecure, and friction-filled methodologies of old. There are simply too many cyber risks and too many impediments to seamless collaboration and productivity to make password-based security the right choice anymore.
Passwords are too deeply embedded in workflows right now to do away with them completely, but tools like Yubico’s keys are the first step on the path to the passwordless future.
Razor Technology is your trusted IT managed service provider. Save time and money on your IT and cloud services, and protect your organization by calling Razor Tech today.