Strong yet convenient authentication has become a paramount factor of a robust security posture for modern, digital, cloud-first enterprises. The increased adoption of multiple cloud platforms and services and hybrid work norms have blurred the traditional business boundaries and made the need for access security a necessity. However, strong access controls need to be user-convenient; otherwise, productivity will be hampered.
Security and convenience can go hand-in-hand if enterprises elect for a solution that supports both multi-factor authentication and passwordless identity verification. This is the first blog in a series of three that will cover the reasons for choosing FIDO devices, an introduction to the latest FIDO security key releases from Thales, and an overview of Thales’ dedicated FIDO security key customized for Azure.
Why do you need passwordless authentication?
Although strong and unique passwords supported by an adequate policy is undoubtedly a way to secure access to sensitive data and systems, password fatigue and increased operational costs are deterrents. Considering the number of apps and systems each employee needs to access daily to do their job, passwords seem more like a vulnerability than a solution.
This is precisely the problem that passwordless authentication solves by replacing textual authentication with authentication methods that include verifying the possession of a secondary device a user has or a biometric trait unique to them, like their face or fingerprint. Considering that more than 60% of successful data breaches are attributed to compromised credentials, eliminating passwords altogether reduces your risk for a data breach because it reduces a criminal’s ability to exploit them, and the unsafe behaviors that often expose them, against you and your company.
Implementing passwordless authentication can also help reduce or eliminate operational costs for maintaining passwords, since your users will be able to log in without a password. This also eliminates the need to store and maintain those password databases.
Enhance identity verification with MFA
However, relying on just a single authentication factor, even if that is not password-based, is not sufficient for high-risk, critical computing environments. Multi-factor authentication (MFA) is required for step-up authentication, and MFA is so effective in preventing successful breaches, that it has now become a requirement. For example, all insurance companies state, “no MFA, no coverage.” The Presidential Executive Order 14028 on strengthening the US cybersecurity also requires all organizations and agencies to deploy MFA wherever possible.
It is important to understand, though, that not all MFA methods are equally secure. Some methods, like SMS OTP authentication, are subject to man-in-the-middle or even phishing attacks. With criminals becoming innovative to counter our access control measures, the US government and ENISA are pushing the adoption of phishing-resistant MFA.
FIDO2 offers both passwordless and MFA
The Client to Authentication Protocol (CTAP) and the W3C Web Authentication specification (WebAuthn API) make up the open authentication standard known as FIDO2, which is maintained by the FIDO Alliance. A browser or operating system can communicate with an external authenticator, such as a FIDO2 device, using the application layer protocol CTAP.
Public key cryptography serves as the foundation for FIDO2, which offers strong single factor (passwordless) and robust multi-factor authentication solutions. These features enable FIDO2-compatible devices to completely swap out weak static password credentials for reliable hardware-backed public/private key credentials. These credentials are not susceptible to phishing and MiTM attacks, server compromises, or reuse, replay, or sharing between services.
Five reasons why I should select a FIDO2 security key
Because of its significant advantages in simplifying the login process for users and solving the inherent risks of text-based passwords, FIDO2 authentication has become popular as a modern type of MFA. Here are the top five arguments in favor of FIDO2 security keys:
1. Superb security: A phishing-resistant authentication method that defends against MITM attacks, FIDO 2 relies on asymmetric public key cryptography and possession-based authentication.
2. Practical and simple for end users: Users do not need to remember passwords thanks to the passwordless authentication solution provided by FIDO 2. This enhances security while reducing help desk expenses.
3. Simple deployment: FIDO2 is based on open standards and does not require any special infrastructure, making it easy for IT teams to adopt. Since FIDO2 relies on user self-registration, IT teams are relieved of the burden of managing token enrollment and registration, which reduces administrative burdens.
4. Excellent for mobile authentication: Users can authenticate with the highest level of security on their mobile devices using FIDO 2 devices that have NFC capabilities.
5. Enhanced security for cloud applications: FIDO2 was created to provide the best access security and authentication for cloud services.
Take the next step toward superior and convenient security
Now that you have understood the benefits of selecting a FIDO2 device, the next step is to choose the one that fits your needs. Not all FIDO2 devices are equal. Which one is the perfect fit for you and your organization?
Thales has created a concise checklist that can help you. Download our FIDO2 Devices Solution Brief and get ready to indulge yourself with great security, superb user experience and peace of mind. And lookout for our next blogs in this series that will talk about the latest security key releases, and a dedicated solution for Azure.