The road to zero trust can be bumpy for nearly any organization. While CISOs need to make data and services accessible to their users, they also need to protect the same data and services in order to prevent breaches. This means that security leaders need to balance the risk between easy access and advanced controls when moving toward a zero trust architecture.
Unfortunately, it only takes one point of access for a bad actor to gain access to critical company systems. For example, recently Robinhood discovered that millions of its customers’ names and email addresses were stolen in a data breach after a cybercriminal socially engineered a customer service representative via phone to gain access to customer support systems.
Similarly, on March 18th 2022, Hubspot reported that a malicious actor compromised a Hubspot employee account and leaked customer contact data.
As we can see from these recent incidents, user credentials are still the attack vector of choice for many cybercriminals. While most organizations have implemented 2FA, MFA and passwordless solutions to harden security, hackers and their attack methods are becoming even more sophisticated. Here is a non-exhaustive list of ways that hackers could get around 2FA, MFA and some passwordless solutions:
- SIM swap to steal 2FA codes
- Convince a phone company to change a phone number associated with an account
- Email helpdesk and request a phone number change
- Target systems that are difficult to harden security
- Convince user to link biometrics to criminal’s phone
All of these attacks are impossible to defeat without proving identity with real biometrics. Proving identity and to help meet Zero Trust guidelines requires a solution that:
1) Establishes identity
2) Proves authentication with the established identity
With this identity-based approach to authentication, identity is at the forefront of security so that organizations implementing a Zero Trust infrastructure know with certainty who is accessing IT assets and online services.
When users have a quick and convenient way to self-verify their identity using government, telco, and banking credentials, they can use their verified digital identity at login or transaction approval. This identity pre-proofing injects a level of trust into the Zero Trust implementation and provides users with a frictionless experience. Organizations will implement their Zero Trust deployment with a significantly improved access user experience and a high level of assurance for the identity on the other side of the digital connection.
However, security leaders need to remember that not every system is created equal. While SSO can be used on many systems, they will still require additional security to prevent breaches. Leaders will need to harden the security on these systems by adding passwordless, identity-based authentication and a secure password reset if or when needed.
In the instances where applications and systems don’t allow for an identity-based, passwordless experience a password is obviously still required. To help protect these systems, security leaders will need to offer an integrated password reset capability that eliminates the need for any assistance from the helpdesk. Through an app or user portal, users can easily reset their passwords if and when needed. Integrating a password reset capability helps organizations deploy a strong and continuous authentication platform and meet the requirements of a username and password. The password reset function also eliminates calls into the help desk, saving both user frustration and cost.
(The author Mr. Robert MacDonald, Vice President of Product Marketing, 1Kosmos and the views expressed in this article are his own)