What is Modern Authentication?
-
Loading... - Josue Lagos
- 29 Jun 2022
- 128 Views
- 0 Like
- 0 Comment
Modern Authentication is becoming a key element in IAM security, as well as a foundational pillar of Zero Trust security. More than 80% of all data breaches start with a compromised or stolen identity, according to the Verizon 2021 Data Breach Investigations Report. While traditional authentication continues to play a key role in reducing data breaches, it needs to be enhanced for the demands of today’s remote work economy and the evolutions that have brought us into the digital transformation. Modern Authentication is complementing legacy authentication as the way to not only verify a user’s identity but maintain a zero-trust environment, so they can only access what they need while maintaining security and convenience.
Let’s look at the advent of Modern Authentication and what it means for the IAM space.
The Challenge of Legacy Authentication
What is legacy authentication?
Legacy authentication is primarily authentication that relies on legacy protocols such as Kerberos and RADIUS to protect the traditional network perimeter. Legacy authentication was not designed to support authentication to cloud and web-based services and apps, which rely on modern protocols such as SAML and OICD. Legacy authentication is the traditional way of authenticating, using only a username, password, and IP address. It is typically used in HTTP-based. Once authenticated, the user can access all systems, protocols, and information protected by that password.
What are the problems with legacy authentication?
- Legacy authentication may sound effective and efficient – and it has been effective in protecting traditional on-prem network perimeters. But behind an uncomplicated login process lie serious concerns.
- Passwords are weak. Many are still using “password” or something easily guessed, like an email account. Also, many passwords have been compromised in highly publicized breaches and are now floating around dark web forums – for sale or free. And while good security hygiene dictates you should not reuse your password across platforms and applications, many do.
- Users face authentication burnout. As devices proliferate, legacy authentication can be burdensome. As Asaf Lerner, IAM Market Owner at Thales, says: The multitude of end devices, locations, applications, and roles means that a single user will likely need more than one way of accessing the range of apps they need throughout their day. The challenge now is to effectively support multiple user authentication journeys to achieve secure remote access without burdening your end-users.
- Legacy authentication can’t keep up – especially in the cloud. Protocols like RADIUS-based Multifactor Authentication (MFA) have their limitations: they’re great for on-prem legacy apps residing in data centers, but what do you do for the cloud? Today’s complete end-user journey often leads to or through off-prem data centers, and access controls like MFA often don’t meet the authentication needs of cloud-based apps that rely on SAML, OICD, and OATH.
- And the biggest problem is that legacy authentication is static. It authenticates the individual at a certain point in time and once authenticated, the person can access all systems and data they are entitled to. There are no limits or controls, and the process isn’t risk-based. What happens if the same person changes location or network? How can we verify their identity continuously beyond any reasonable doubt? How do you enable multiple user authentication journeys without disrupting the user experience? These are the problems Modern Authentication solves.
Modern Authentication and Why We Need It
What is Modern Authentication?
Modern Authentication is an umbrella term for a multi-functional authorization method that ensures proper user identity and access controls in the cloud. Thales says this includes:
- The use of modern federation and authentication protocols establish trust between parties. These include SAML, OICD, and OAuth.
- The ability to make continuous risk assessments and enforce access policies, leveraging evolving standards such as CAEP.
- Reliance on new authentication methods such as passwordless, Fast Identity Online (FIDO), biometrics, and adaptive authentication.
Modern Authentication is based on the following tenets:
- Continuous Authentication: This allows a user’s journey to be authenticated from start to finish, such as during an online banking session or ATM transaction. This involves a risk engine gathering data on the user (location, device, keyboard cadence) and analyzing it against how they normally act to verify their identity in real-time.
- Adaptive Authentication: This type of authentication builds off what is already known about the user to “shortcut” the verification process by allowing those who fit a low-risk profile to enter and providing additional requirements to those who don’t; for example, a login attempt in Alaska when all employees are in Denver. Stricter requirements may also be asked of those with access to more sensitive information.
- Attribute-Based Access Controls: NIST says access is determined “by matching the current value of subject attributes, object attributes, and environment conditions with the requirements specified in access control rules”. In other words, the characteristics surrounding the user must match those within the access control rules.
Why do we need Modern Authentication?
Authenticate in the cloud.
Modern Authentication spells the difference between authenticating to on-premises vs. cloud apps. We need it because traditional authentication protocols such as RADIUS were developed for traditional legacy apps and networks, but cannot be used to federate between IDPs and cloud apps. Also, the use of adaptive authentication cuts authentication fatigue from users having to log onto dozens of cloud services. MFA by itself, while secure, would be too burdensome.
Role-based access controls.
Legacy authentication is effective at easily authenticating the end-user but, in doing so, gives unlimited access to whoever has the key. Modern Authentication protects the cloud by defining what those users can do once inside and where those permissions end. It customizes user-based security controls across platforms and streamlines your access approach. Read More...
