For many businesses and organizations, the term 'authentication' is synonymous with 'password' or 'multi-factor authentication (MFA)’. However, because today's business ecosystem is complex and stretches across distributed workforces with work from home, BYOD policies, and multiple cloud environments, it is very challenging to efficiently recognize and authenticate identities of people, processes, and devices throughout the enterprise using traditional methods.
The problem with passwords
For starters, people tend to forget passwords. To make passwords easier to remember, users may store their passwords in a vulnerable file, create passwords using a consistent pattern, or use the same password again and again.
If a password is uncovered on one service or from an unprotected spreadsheet, a bad actor could use that same password to access a high-value network, maybe a corporate service or a bank account.
Technical problems with password security
Not only are passwords easy for today’s hackers to steal, they offer a poor user experience
Not only are passwords easy for today’s hackers to steal, they offer a poor user experience and can be a burden to help desks workers. Password security also suffers from a legion of technical problems.
For example, if a connected device machine has been infected with screen scraper malware, the malware can gather all visible data, including passwords, and send them back to the bad actor. Captured passwords are commonly sold and purchased in the underground economy, which can lead to a wide range of security problems.
The modern way to authenticate - Public Key Infrastructure (PKI)
If passwords are too easily intercepted, what is the best certificate authentication approach?
The answer is Public Key Infrastructure (PKI)-based authentication, the better option, because it eliminates the password and reduces the time to authenticate. There is no stronger, easier-to-use authentication and encryption solution than the digital identity provided by PKI. Rather than secret-sharing, PKI uses certificates that do all the work behind the scenes, thereby eliminating the burden on users and the human-error accompaniment.
PKI works by using an asymmetric cryptographic key pair, consisting of a private key and a public key. These keys function as a pair using incredibly complex cryptographic algorithms to protect identities and data from unauthorized access or use.
Public key
The public key consists of a long string of apparently random numbers and is used to encrypt a message. This encrypted message can only be decrypted by the associated private key, which is also made of a long string of numbers. This private key is a secret key and is never shared.
The key pair is mathematically related, so that whatever is encrypted with a public or private key, can only be decrypted by its corresponding counterpart.
Private key
The private key is embedded inside the device, on which it sits - on every laptop, phone, IoT device, server and email client
The private key is embedded inside the device, on which it sits - on every laptop, phone, IoT device, server and email client. Whenever possible, the private key is stored in a TPM or hardware security module, protecting it from discovery, even if the device is infected with malware or compromised by a hacker.
Additionally, the private key would take decades to brute force and the result is that attack attempts fail.
The connection between security and usability
There is a dynamic relationship between security and usability - the more you try to up the ante on password-based security, the more difficult it becomes to use. The best security investment is one that can be easily deployed and enthusiastically used by employees.
Using PKI authentication is both rock solid and seamless to end users. Digital certificates can be easily deployed to every employee device and system using automated tools. Wouldn't it be better and simpler to not have to type in passwords and instead be automatically authenticated and granted proper access?
PKI takes us from the stone age of user names and passwords to a better authentication experience.