For as long as organizations have used the internet to conduct business, online security threats such as phishing emails, credential theft and malware attacks have been an unfortunate and ever-present shadow over their digital operations. One of the foundational defenses against these threats has been the implementation of user authentication strategies. Quite simply, these involve any authorized user taking some action to prove they are who they claim to be. Once authenticated, they are granted access to the system and are free to carry out their responsibilities.
Over the years, these authentication methods have evolved to offer better security, but not always better user experiences. Today, however, a new approach is satisfying both factors. To gain a full understanding how this innovative technology manages to do that, let’s take a look at the evolution of authentication methods over time.
The Problem With Passwords
In the beginning, passwords were the primary method of authentication. These were, and continue to be, a less-than-optimal method. They are often not unpredictable enough to prevent attackers from figuring them out, thereby providing an easy entryway into a network. They also offer a poor user experience, requiring users to try – and often fail – to remember what string of letters, numbers, and perhaps special characters they had originally used to form the password.
To improve on this method, a second factor was added to passwords. This development came in various forms, each requiring the user to take an additional action. These included SMS text messages, one-time passwords (OTP) that are good only for a single login session, or push notifications, which are sent to an app on a user’s phone.
The good news here was that security was enhanced. The bad news was that it introduced a new layer of complexity to the user experience, often creating confusion and frustration for the unfortunate employee who was just trying to get in and do their work. Add to this that the extra security was nowhere near enough to prevent widespread phishing attacks and other costly corporate network breaches, and it was clear there was still work to be done.
Zeroing in on Zero Trust
In response to such dangers, the U.S. government has, in the last few years, pressed forward with a zero-trust strategy, which prohibits the use of SMS, OTP and push notifications. This phasing out of old MFA factors has raised the bar on security.
This leaves public key passwordless authentication as the only solution that will work under the zero-trust approach. It succeeds for a number of reasons: it involves no shared secret (a password or OTP) with a remote service, a feature that is typically easy for a user to forget or leak to outsiders; it is cryptography-based, making it exceedingly strong; and while it still utilizes a form of MFA, such as biometrics or a PIN, this is only needed to unlock a passwordless authentication device locally.
A main tenet of zero trust, however, is “never trust, always verify, which would require a user to be constantly verifying themselves – a very poor user experience indeed. So we are left with a solution that has significantly improved security but is still lacking in good user experience.
Which leads us to the latest, and perhaps most important, development in the authentication journey. Enter WinMagic’s MagicEndpoint solution. Like passwordless authentication, it is public key-based. The difference is that it enables the endpoint itself to continually verify the user. This means no user action is required, thereby relieving employees of the massive burden of constant manual verification.
The destination that MagicEndpoint has led us to, therefore, is the one we’ve all been waiting to reach on the authentication journey: iron-clad security coupled with a great user experience.
Learn how WinMagic can help your organization leverage this exciting new approach to information security.
Related pages: Device-Level Signals: Framework of Zero Trust Security