Identity, Decentralized identity and verifiable credentials, SC Awards

Inching toward identity authentication perfection: Passwordless, secretless

Share
Twofactor authentication represented by a digital key and smartphone, cybersecurity, blue tones, 3D rendering

No matter how much security training an organization conducts for its staff, if your plan involves people not failing, then your plan is going to fail. So says Portnox CEO Denny LeCompte.

People are people, after all. LeCompte should know: Prior to working in the cybersecurity field, he was a professor in cognitive psychology.

“We’re just not perfect,” he said.

The trick for security firms is to make their products so people don’t have to be perfect.

That is why one of the first thoughts for chief security officers (CSOs) and chief information security officers (CISOs) during a breach is that a staff member’s password was compromised, said LeCompte, who is Conditional Access for Applications as part of Portnox Cloud was a finalist for Best Authentication Technology for the 2024 SC Awards.

In an age where employees can access their organization’s network from the office or a remote location, identity and access management (IAM) is increasingly important to securing an organization’s applications, files and data by making sure the right people have the necessary permissions to access such sensitive systems.

Moving beyond the password

Getting rid of passwords — passwordless — and introducing passkeys as a way to authenticate a user’s identity is one of the more recent trends in the IAM field. Passkeys verify a user’s identity using biometrics such as fingerprints or facial recognition, or a device PIN.

While multifactor authentication (MFA) is better than just a password for security, cybercriminals are also learning how to fool or defeat MFA through technical workarounds or social engineering, LeCompte said, adding that passkeys would also assist in this regard as it would recognize the device as a way to identify the user.

One drawback of verifying by device is the ability for employees to log-in from, say, their sister’s computer while at her house, LeCompte explained. “Well, trust me, your security team does not want you to do that because they don't know your sister.”

Passkeys are faster, easier ways to verify users since its certificate is on the device once it’s set up, which is something that is a bit of rarity in the cybersecurity field.

“Most of them [security solutions] add a lot of friction to your life, which we think is a problem, because if you make it hard enough to do security or to be secure, people will find ways around,” said LeCompte.

A good way to deal with these workarounds is zero trust architecture, which is another IAM trend. As the name implies, zero trust doesn’t assume a user’s identity is trusted and constantly asks for proof. LeCompte said Portnox’s surveys of security leaders tell them that they believe zero trust is overhyped, but that it’s also under-delivered.

“They still want it, and they don’t believe they have it,” he said. “It still remains an aspirational goal.”

Identity management for non-human users

In addition to employees — human users — there’s also the issue of non-human identities (NIH) in the form of credentials for application programming interface (API) keys, Oath tokens, Internet of Things devices and secrets.

The secrets used in environments as organizations move to the cloud and leverage software-as-a-service (SaaS) tools, as well as continuous integration and continuous delivery (CI/CD), can leave those organizations at risk.

Aembit Chief Marketing Officer Apurva Davé said his company’s Workload Identity and Access Management’s secretless technology, which was a finalist in two categories — Best Identity Management Solution and Best Authentication Technology — eliminates long-lived keys, thereby reducing the attack window. Aembit’s Workload Identity and Access Management (WIAM) works as centralized identity control plane for these non-human identities.

Compliance

Compliance with ever more stringent requirements coming from governments, especially in Europe, is another issue where organizations will have to show they’ve done their due diligence in authentication and access control. Compliance also affects cyber insurance as more organizations are hacked, insurance companies will charge more and will probe deeper into the security posture of organizations.

“If you've ever been an organization that's had a bad hack, it kind of just disrupts everything for a long time,” said LeCompte. “That's one of the motivations for my whole team.”

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.
Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.