The multinational company, known to provide identity protection and cybersecurity services, Norton LifeLock notified customers in mid-January that over 6,000 of their customer accounts had been compromised as a result of a “stuffing” attack. Stuffing attacks occur when previously compromised passwords are used to gain access to accounts on various sites and services that use the same passwords. Gen Digital, the parent company of Norton LifeLock, shared a data breach notice with their customers whose accounts were hacked, which mentioned that “in accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address”.
2023 Specops Weak Password Report states that 83 percent of compromised passwords satisfy the password length and complexity requirements of regulatory password standards such as NIST, PCI, ICO for GDPR, and others. The study also states that 88 percent of passwords used in successful attacks were 12 characters or less, with eight characters being the most common (24 percent). It shows that using passwords to comply with security regulations isn’t enough.
The negative implications of weak passwords and poor password hygiene have been topics of discussion for quite a long time. But, it appears that even the largest companies in the world are not enforcing secure password policies, leaving them vulnerable to phishing, credential stuffing, and brute force attacks.
The Growing Demand for Passwordless Authentication
Password vulnerabilities and an upsurge in credential-based attacks necessitated the development of a new, password-free authentication method. This is where passwordless verification comes into play. As the name implies, passwords are entirely eliminated from the authentication procedure. To authenticate people and devices, it instead employs safer, more transient methods such as one-time passwords (OTPs), magic links, biometrics, and public key infrastructure (PKI).
These techniques are far more user-friendly and secure than password-based authentication because they do not require the creation or use of passwords. While expensive password managers and specialized helpdesk staff are not required to deal with password resets, they can assist to reduce operating expenses.
Alternatives to Passwordless Authentication
- PKI-Based or Certificate-Based Authentication: In this type of authentication, digital certificates are used to identify (or verify) a user, machine, or device before granting access to a resource, network, application, service, and more.
- Two-Factor Authentication: With two-factor authentication (2FA), users must enter exactly two verification factors to gain access to the network.
- Multi-factor Authentication: Users need to implement a variety of verification credentials when using multi-factor authentication (MFA) to authenticate devices.
- Biometric Authentication: To access a network, biometric authentication involves a fingerprint scan, facial scan, or other biometric data. Although expensive to install, this kind of device authentication is tough to spoof.
What is Certificate-Based Authentication?
Certificate-based authentication, also referred to as PKI-based authentication, uses a digital certificate to identify or verify a user, machine, or device before granting access to a network, application, service, or resource. More specifically, the digital certificate uses cryptography and a public key to prove the authenticity of the user, machine, or device to enable trust.
The 2023 CISO’s Guide to Certificate Lifecycle Management (CLM)
Access is restricted to authorized users and machines exclusively through the use of certificate-based authentication, which also guards against rogue machines and unauthorized users. More importantly, it can be used in place of passwords or as a component of multi-factor authentication strategies.
Common use cases for, certificate-based authentication include:
- Identifying users or employee laptops to permit access to corporate email, intranets, Wifi networks, or VPNs
- Identifying servers to enable mutual authentication and secure server-to-server communications
- Identifying and accessing connected IoT devices in the field that need to communicate with back-end services
How Certificate-Based Authentication Works?
With certificate-based authentication, servers can be configured to utilize digital certificates and single sign-on (SSO) to authenticate a machine, user, or device. The authentication process is carried out through the interaction of public keys, private keys, digital certificates, and Certificate Authorities (CAs). More specifically, a digital certificate from a trusted Certificate Authority (CA) is issued in the name of and provisioned or binded to a user, device, or machine.
Each digital certificate is made up of a public key and a unique corresponding private key. The private key is kept secret, while the public key is published and shared externally. Greater security throughout the authentication process is ensured because each private key is specific to an individual user, machine, or device. Furthermore, digital certificates are digitally signed by a third party (the CA) who attests to the legitimacy of the machine, device, or user.
Because public key infrastructure (PKI) offers a framework and infrastructure to safeguard data, authenticate user and device identities, and assure that the integrity of data has remained intact and is authentic, it enhances trust on the internet. PKI lets you confirm the legitimacy of people, devices, and services using digital certificates. These certificates can be used for both public-facing applications and websites as well as for private internal services (e.g., to authenticate devices connecting with your VPN, Wi-Fi, etc.)
Organizations can help ensure that only authorized users and workers have access to critical information and company resources by implementing an effective passwordless authentication solution, such as using public key infrastructure certificates on hardware tokens, smartcards, or provisioned directly on a device.
Benefits of Certificate-Based Authentication
While authentication methods, like a one-time password (OTP) and biometrics, are applicable to humans only, digital certificate-based authentication can be used for all endpoints, including users, machines, devices, and the Internet of Things (IoT). Certificate-based authentication is also ideal for closed-loop systems where user authentication and intervention are not possible.
The primary benefits of certificate-based authentication include:
1. Streamline authentication: Password credentials are based on terms or phrases created by the end user. Certificate-based authentication eliminates the need to create complicated or difficult-to-remember passwords, which minimizes the use of insecure password practices. Access to privileged services and websites is made simpler for authorized users when employees don’t have to recall passwords. Additionally, this lowers the expense of IT assistance and employee frustration. Certificate-based authentication is also extensible to external users where certificates can be issued to users outside the organization who might need access to the network, such as independent contractors, partners, vendors, and freelancers.
2. Better access control: To lower the risk of exposure, organizations should limit resource access to only the devices and users who need them. Certificate-based authentication can safeguard those networks and applications that are crucial and sensitive by leveraging permissions and policies to control which machines and users can access them. By mandating that all users and devices authenticate using certificates rather than or in combination with passwords, certificate-based authentication assists businesses in achieving Zero Trust architecture.
3. Increased security: Authentication methods that solely use traditional username and password combinations are among the least secure. These passwords are frequently simple to decipher and stored insecurely like written down on sticky notes or saved in spreadsheets. Certificate-based authentication is a far more secure method of authentication that allows you to go passwordless. By doing away with passwords, you also reduce the likelihood of phishing or brute-force attacks. Multi-factor authentication can also be achieved using certificates in conjunction with a Trusted Platform Module (TPM), token, or smartcard for example. Certificates also can be used for mutual authentication, which identifies both parties engaged in a transaction. Mutual authentication using certificates can be used for secure machine-to-machine or server-to-server communications.
4. User-friendly: Generating and memorizing innumerable passwords is not a sustainable option. It is human to forget passwords, and therefore users try to find the shortcut to it, like adding easy-to-remember passwords, using the same password for multiple websites and applications, or saving the passwords in documents, all of which are security risks. By employing certificate-based authentication, you can increase efficiency and provide a better user experience by eliminating the need to set, reset, and remember passwords. Digital certificates are unique to each user and are subject to stringent authentication and authorization processes via PKI.
5. Easy to deploy: The common format for public key certificates, X.509 digital certificates, is natively supported by many enterprise applications, hardware devices, and networks. Certificates can be deployed directly onto a device and do not require the use of additional hardware. Using a certificate lifecycle management solution, you can automate the management, provisioning, and installation of certificates onto devices, silently without end-user involvement. Again, this improves the user experience and makes certificate-based authentication an effective solution to roll out enterprise-wide. As a result, you can implement certificate-based authentication for many common use cases, such as authenticating to wifi, VPN, Windows logon, Google Apps, Salesforce, SharePoint, SAP, and access to remote servers via portals like Citrix or SonicWALL, with only a few configuration modifications.
How AppViewX can Help?
IT teams need to validate and authenticate countless identities within their organization on a daily basis, whether they are identities for machines, devices, or humans. Certificate-based authentication and PKI have proven to be an effective method especially as the number of machine identities has surpassed the number of human identities.
AppViewX CERT+ is a ready-to-consume, scalable, and efficient certificate lifecycle management (CLM) solution to effectively automate and manage machine and application identities as an integral part of your cybersecurity strategy. The powerful automation capabilities of CERT+ allow you to manage and provision digital certificates used for certificate-based authentication at scale and for every endpoint.
AppViewX PKI+ allows organizations to quickly and easily set up a secure, scalable, and compliant private PKI in the cloud. Organizations can then provision identities (private trust certificates) to all of their essential endpoints and efficiently implement enterprise-wide certificate-based authentication.
Talk to an AppViewX expert today or request a live demo to learn more!