Nobelium, the group of hackers responsible for the SolarWinds attack did not spare the tech giant, Microsoft when they performed credential theft to gain administrator-level access to Active Directory Federation Services (AD FS) servers and exploit the sensitive database. The recent upsurge in the number of authentication-linked cybercrimes has exposed the loopholes in traditional cybersecurity practices.
The State of Passwordless Security 2022 reported that in 2021, 89 percent of organizations suffered phishing attacks and 34 percent encountered credential stuffing and brute force attacks. Around 63 percent of respondents were unable to access critical information after failing to remember passwords and 89 percent of them believed that passwordless multifactor authentication can strengthen the security posture of the organization without harming operational agility.
In passwordless authentication, users do not need to input specific passwords to initiate the login or access request. Instead, he can prove or authenticate his identity by using one-time password (OTP), Time-based one-time password (TOTP), secret codes via SMS, biometrics, or public key infrastructure (PKI) based authentication certificates.
How does PKI-based passwordless authentication work?
While traditional password-based authentication is based on ‘what you know’ (a password), passwordless authentication is based on ‘what you have’ (a private key related to a certificate), which is resilient to brute force attacks.
An efficient passwordless authentication solution, like using public key infrastructure certificates with hardware tokens, can help you ensure that only legitimate users and employees gain access to sensitive information and corporate resources. Digital certificate-based authentication, which relies on PKI architecture, validates the identity of the users to the servers. You can substitute the use of PINs and OTPs with the digital certificates in the users’ device for authenticating users.
In PKI-based authentication, which is a bilateral authentication, the public and private keys encrypt and decrypt the information transmitted over the Internet respectively and ensure that the message is restricted between the legitimate sender and receiver. With public-key certificates, which are electronically signed documents, you can validate the identity of the key holder. Digital certificates, like X.509 certificates contain a public key and an identity, (hostname or organization or individual) and it is either signed by a trusted certificate authority (CA) or self-signed. Digital certificates issued by a certificate authority are used to secure websites and endpoints involving direct user interactions.
Why you should use PKI-based authentication over password-based?
- No additional costs on hardware: Passwordless authentication procedures like implementing OTP and biometrics require heavy investment in hardware and security devices. But, with PKI-based authentication, no additional hardware is required as digital certificates are installed in the device of the end-user. Passwords and randomly generated security codes can be replaced with digital certificates for authenticating users and devices. Using a certificate-based authentication solution that comes with a cloud-management platform helps you to issue certificates to new users, renew, revoke and monitor certificates without incurring additional charges.
- Protection against brute force: A brute force attack is one of the most common hacking methods where a hacker tries to guess your password. Multiple trial and error methods allow hackers to guess your password correctly and give them a chance to enter your network. With passwordless authentication, you can remove passwords from the whole equation, and authenticate the user and server identity via PKI certificates.
- Improved efficiency and user experience: Generating and memorizing innumerable passwords is not a sustainable option. By using PKI-based authentication, you don’t have to undergo the process of setting, re-setting, and remembering passwords, thus improving efficiency and delivering a better user experience. Digital certificates are specific to each user, containing unique details, and they undergo strict vetting procedures via PKI authorization and authentication.
- Data security: With PKI-based digital certificates, you can ensure the privacy of the messages by reducing the risk that they can be read by anyone other than the intended recipient. Digital certificates guarantee the integrity of electronic communications by cutting down the risks of them being altered or tampered with, without the knowledge of the intended recipient.
- Easy to implement: Most organizations’ networks and applications support X.509 certificates, which are the standardized format for public-key certificates. This means, with minimal configuration changes, you can implement certificate-based authentication easily for popular use cases like Windows Logon and Google Apps.
Your IT teams need to recognize and authenticate identities irrespective of whether they are digital or human. Switch to PKI-based authentication for governance, scalability, crypto-agility, efficiency, and cost savings.