Phishing-Resistant Identities

Passkeys are cryptographic key pairs used to authenticate users into various applications. A public key is stored on the application server and a private key is stored on the user’s device. Passkeys use Bluetooth to communicate between the user’s phone (FIDO authenticator) and the device from which the user is trying to authenticate. Bluetooth requires physical proximity, providing a phishing-resistant way to leverage the user’s phone during authentication.

FIDO tokens are physical keys like USBs, which are plugged into the desktop. In some of them, there is also a place for scanning your fingerprint as a second factor of authentication. The key contains encrypted information that authenticates user identity when plugged in. The user is automatically logged into the system as well as gains access to all applications in a single session.

Certificate-based authentication (CBA) provides the highest assurance with respect to security and the best user experience in terms of passwordless login capabilities. With CBA, you can provision a digital certificate onto the user’s phone (mobile smart credential), transforming it into their trusted workplace identity. With Bluetooth/NFC capabilities, as the user walks toward the workstation, a connection is established between the user’s phone (where the smart credential resides) and the desktop. There can be two options to passwordlessly log in from here – either the system gets unlocked when the user is asked to provide their fingerprint/Face ID on the smartphone, or the desktop prompts the user to enter a PIN to login. Both ways do not require any passwords. In the same session, the user can also connect securely with a remote desktop and SSH. In addition to issuing a certificate for a user, assigning certificates to the devices used by a user ensures a higher level of security when authenticating and accessing resources. This ensures that not only is the user verified and authorized but also the device from which they are accessing a resource is verified and authorized, ensuring a high level of assurance.

Adding risk assessment to the authentication process is a key requirement of any mature Zero Trust framework and helps provide a greater level of security while also allowing for a better user experience, by only adding friction in the authentication process when required. Evaluating the risk score with contextual information such as time-of-day/day-ofweek login, travel velocity, IP address, and behavioral biometrics allows for a more accurate assessment of the validity of an authentication request and protection against fraud. If risk levels exceed a pre-defined threshold, challenge the user to authenticate via a configured 2nd MFA authenticator or block access in case of extremely high risk scores. RBA is also useful in ensuring highvalue transactions are secured with an additional layer of security.

Combining CBA and RBA with single sign-on allows for seamless but secure access to applications and services once authenticated. SSO helps protect against password fatigue and reuse, combined with orchestration and automation of user and app provisioning, which streamlines the onboarding and offboarding process by ensuring admins can easily activate or deactivate users based on their role and permissions.

With the number of devices easily exceeding the number of users and the explosion of the IoT space, ensuring organizations have visibility into which devices users are using to connect into their network is critical to further securing access to critical resources and data. Managing device identities through a centralized, easy-to-use certificate lifecycle management tool helps with better control, compliance, and governance.