Michael Engle is the co-founder of 1cosmos and previously head of infosec at Lehman Brothers and co-founder of Bastille Networks.

getty

Every day, more and more new malware threats emerge – and organizations around the world struggle to respond. The situation is chaotic, if not downright overwhelming.

Of course, part of a good cybersecurity defense is detecting and blocking dangerous payloads. Yet, often overlooked is the role of identity verification in achieving zero-trust security, which goes beyond authentication. Knowing who is using applications—and whether they are authorized at any given time—is at the heart of a business’s security.

The passwords have done their job. These are the weakest links in the cyber world.

Yet, as companies transition from passwords to passwordless, it’s not as simple as simply adopting a passwordless system. It is also important to rethink and rewire identity management and user authentication for zero trust. While the idea that no person or device can be completely trusted is essentially the same in both password and password-free worlds, the practical application of the concept couldn’t be more different.

no free pass

Passwordless and zero trust are both a journey. Organizations that plunge into zero trust soon recognize a fundamental fact: passwords are outdated and no longer secure. The underlying premise of zero trust is a shift from “trust but verify” to “never trust, always verify.” Unfortunately, passwords are easily shared, hacked, stolen, and bypassed by intruders. They make it almost impossible to never trust and always verify.

It is important to remember that passwordless systems do not in themselves increase the security level. This is because passwordless approaches that rely on authentication mechanisms rather than identity verification can be circumvented. For example, device-based biometrics are passwordless but do not prove identity because anyone with administrator access to the device can defeat them – whereas passkeys, which provide easy access and rely on possession of the device, In most cases can be shared and do not prove identity.

To be sure, plugging passwordless into a zero-trust framework for more than just authentication can provide clear benefits, including reducing the risk of compromised credentials and increasing the attack surface, including phishing and account takeover attacks. Involves reducing.

Still, zero trust is not a panacea. This requires more than just identity-based passwordless plug-in. Three key components serve as the foundation of best practice zero-trust security:

• Continuous Verification: An organization must ensure that every access request is dynamically authenticated and authorized without relying on stored passwords. This may seem somewhat obvious, but it is not uncommon for passwords to exist in various databases, repositories, or legacy applications. An enterprise may not know these passwords exist, but thieves can find them and exploit them.

• Least Privileged Access: Policies are an important element in designing a zero-trust framework. It is essential to ensure that only people who have the authority to use the system can do so – and under the right conditions. This dramatically reduces the risk of a breach – but also the damage caused by a breach. Again, passwordless shines in this area – but only if it is architected correctly.

• Microdivision: To achieve zero trust, an enterprise must ensure that users and devices operate within tightly controlled areas and segments. Passwordless systems that rely on tokens and digital authentication increase security when they are used with systems that implement more granular controls.

Key Elements of Zero Trust

A key factor in building an effective zero-trust framework is ensuring that it supports a wide range of technologies, standards, and tools. This includes things like biometrics, hardware tokens, mobile authenticators, and behavioral analytics.

However, this is only a starting point. A passwordless system must also manage identity access management (IAM) for various applications and systems in both legacy and cloud. Some of these systems will continue to use passwords and multifactor authentication and some will not.

It is also important to advance the technology infrastructure while providing value to all. It’s also important to make things simple for users, including customers, employees, and business partners. For one thing, there is minimal patience for tools and technologies that are cumbersome and overly complex. For another, it is not possible to force everyone to authenticate in the same way, such as using a smartphone.

All of this points to another key element of zero trust: the need to move beyond simply authenticating users and, instead, verify their identity at the time of authentication. Getting to this more advanced space requires a strong focus on biometrics and identity verification – which uses documents like a passport or driver’s license to guarantee that the person creating or accessing an account is who they are. They say they are.

With a separate identity authentication layer, an organization can swap in new software, change a VPN provider and combine legacy and cloud authentication tools without business disruption. All of this can happen without end users knowing what’s happening under the hood.

cracking the code

The ultimate goal is to replicate the level of trust that exists in the physical world – while giving users the freedom to use the documents, tools, and applications that work for them. Integrating IAM with existing systems and infrastructure, addressing potential user resistance to unfamiliar authentication methods, offering strong security without sacrificing user experience, and also releasing continuous updates to stay ahead of sophisticated threat actors. is important.

Organizations that effectively assemble all the pieces of the puzzle can use passwordless tap to take security to the zero trust level. It is possible to support the mission statement of the business but also stay ahead of the constantly changing risks, threats and dangers. It serves as the foundation for building a well-equipped security framework for the digital enterprise.

The Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. Am I eligible?