Zero Trust: Don’t Believe the Hyp(r)e!
Zero Trust is a buzzword with which cybersecurity folks are quite familiar. I understand, you’re surprised. Zero Trust has nothing to do with the Amazon packages your spouse hides from you. Rather, in 2009, John Kindervag (Forrester Research) introduced the concept of a “zero trust model,” in response to rising security challenges. Zero Trust can be summarized in four words: never trust, always verify. The main assumption Kindervag made is that traffic within an enterprise’s network cannot be more trustworthy by default than traffic coming from the outside. He was spot on, it turns out. After all, 60 percent of data breaches actually come from insiders.
Zero Trust and workforce access: the dilemma.
Zero Trust is a security concept that requires all users, even those inside the organization’s enterprise network, to be authenticated, authorized, and continuously validating security configuration and posture, before being granted or keeping access to applications and data. This approach leverages advanced technologies such as multifactor authentication, identity and access management (IAM), and next-generation endpoint security technology to verify the user’s identity and maintain system security.
Eighty-one percent of data breaches are due to password mismanagement. Concretely, it means that if at any point during the day you need to submit a username and password to access a system or an app to conduct business effectively, your organization is a sitting duck. But that’s not all, even if you’re required to leverage solutions (2FA, MFA) that leverage passwords in any shape of form, then your organization is also a sitting duck.
Passwords can be shared (60 percent of US employees have admitted to sharing their credentials with colleagues), stolen, reused… you name it. They actually are cybercriminals’ number one choice as a gateway for hacking systems (mostly though social engineering and phishing attacks) and stealing millions of user data.
So, how compatible is the Zero Trust security framework and the use of passwords for workforce authentication? The answer: They are not!
Zero Trust and (most) passwordless solutions: the insufficiency.
Don’t we all love convenience? For the three hundred and forty nineth day in a row, you walk in your shorts and sweatshirt from your kitchen to your (improvised) home office, turn your workstation on, the monitor displays a QR code next to the Windows 10 logo, you grab your cellphone, launch your favorite passwordless solution, scan the QR code with the phone, authenticate with your thumb and you’re in! Another day at the home office can start! Forget passwords. You know that no one will compromise your identity today, and that feels pretty empowering. Take that, John Kindervag! You live and breathe Zero Trust. Never trust, always verify!
If I were in charge of information security in your organization, I’d instantly ask myself if that’s really you who just authenticated and now has access to all my critical systems and applications… Fact: Even though eliminating passwords allows for higher levels of authentication assurance per the NIST 800-63-3 Guidelines (AAL2 or AAL3), most passwordless solutions do not proof a user’s identity. As a result, those very same solutions only reach the lowest level of identity assurance per the same NIST Guidelines, or IAL1. And that is utterly incompatible with the Zero Trust security framework.
Zero Trust and passwordless solutions: (IAL3 + AAL3 =) FAL3 or bust.
There is no bulletproof authentication without an indisputable ID proofing process that takes place beforehand and that ultimately leaves no room for uncertainties concerning the employee’s identity. Indisputable ID proofing must involve the triangulation of a user claim (photo ID, physical address, for example) with government-issued documents (driver’s license, passport) and multiple sources of truth (bank account, email and physical addresses, passport RFID chip, credit cards, loyalty programs, etc.), including advanced, unspoofable biometrics, like a liveness test. Government-issued documents, sources of truth and advanced biometrics operate a series of data checks and verifications to prove an individual’s identity and leverage this process each time the same individual needs authentication to remotely access a system or a service online.
In other words, Zero Trust and passwordless solution are incompatible without the latter’s ability to prove indisputably the identity of the employee prior to leveraging the ID-proofing process for passwordless authentication, thanks to the use of a liveness test. Said differently, Zero Trust is impossible if the passwordless solution does not combine ID-proofing and passwordless authentication and, consequently, is unable to reach the highest level of identity and authentication assurance per the NIST 800-63-3 guidelines, or IAL3 and AAL3: FAL3.
To conclude: Zero Trust: Trust 1Kosmos BlockID
The compatibility between Zero Trust and 1Kosmos BlockID can also be summarized in four words: never trust, really verify. Again, pertinent user authentication is impossible without indisputably proofing beforehand the identity of the user who is authenticating. We all agree that passwordless authentication is much safer than password authentication. But in terms of Zero Trust, most passwordless solutions do not cut it, because they do not combine indisputable digital identity proofing with advanced biometrics, passwordless authentication. 1Kosmos BlockID is the only cyber security solution on the market that does this.