Zero trust networks and the end of the password

Stuart Corner

Passwords have been an integral part of the online world since the information technology industry was born more than half a century ago.

They were first used at the Massachusetts Institute of Technology in the mid-1960s and are still almost universal – and don’t look to be going anywhere soon.

For its The State of Zero Trust Security in Asia Pacific 2021 whitepaper, cyber security company Okta surveyed 300 senior security decision-makers at Asia Pacific companies across multiple industries.

It found that no organisations had implemented passwordless access, and only 10 percent intended to do so within the next two years.

Passwords are not the answer they once were

However, there are many problems with passwords, and these are highlighted by the growing adoption of zero trust frameworks, says Okta Asia Pacific chief security officer Ben King.

“Zero trust frameworks throw away the idea of an internal ‘trusted’ network versus an external ‘untrusted’ network,” Mr King said.

“The concept was to have a defensible perimeter to separate the good from the bad – that concept has proven to be impossible to implement.”

This means all access controls must be extremely robust, because they are required to protect valuable assets that had previously been protected by perimeter controls. These access controls must know who is wanting access, how they are wanting access, and what they want to access.

In a zero trust model, a single means of user identification and authentication — password or another — does not provide adequate security. At least two are required but neither needs to be a password.

Access controls in a zero trust environment must verify the individual, determine whether they are trying to access from a trusted or untrusted device and check what that person from that device is allowed to access, or change.

“In zero trust we talk about a policy-driven decision engine”, Mr King says.

“Every organisation can define its own access policies, but the decision framework is the same. Then we wrap it all up with logging, monitoring and behavioural analytics.”

Increasingly artificial intelligence is being used to detect behavioural variations that could signal unauthorised access attempts.

“If I’m trying to log on in the middle of the night from Ukraine, that would be abnormal behaviour, so we’d block access,” Mr King says.

And, as the means to verify the ‘who’ in a zero-trust environment, Mr King says passwords do not provide adequate security.

“They can be lost, found, stolen, phished, socially engineered, written down, shared, re-used or based on common dictionary words which can be brute forced easily.

“Removing passwords strengthens security, if replaced with stronger, more resistant factors. Typically we want something you know, a username or simple PIN; something you have, a device or token and something you are, a biometric feature such as a fingerprint, or facial recognition.”

He attributes the low uptake of password alternatives to limited resources, familiarity and a misconception that passwords introduce less ‘friction’ into the access process than alternatives.

“With limited budget and limited resources, going passwordless is not the highest priority for many companies. It’s seen as nice to have, but there are perceived to be more pressing issues.”

This despite strong evidence of the problems caused by password breaches.

According to Verizon’s 2021 Data Breach Investigations Report, in 2020 web applications were the top hacking vector in breaches and compromised passwords were responsible for 89 per cent of web application breaches, either through stolen credentials or brute force attacks.

And 61 per cent of all breaches exploited credential data through brute force attacks, credential stuffing or leaked credential data.

In Australia there could be new incentives to go passwordless.

Australian government agencies will soon be expected to apply multi factor authentication (MFA) to the digital services they provide to the Australian public, as part of a substantive overhaul of the Australian Cyber Security Centre’s Essential Eight Maturity Model.

Mr King described this overhaul as a great step forward, and an opportunity to go passwordless, but said abandonment of passwords in the adoption of multi factor authentication requires industry leadership.

“The public sector is traditionally risk-averse, so I think the benefits of passwordless access need to be demonstrated by some of the more agile organisations in industry.

“As we get more public private partnership, we will see the public sector getting more used to the idea that, if a large bank can run passwordless, why can’t the Australian government?”

This story was produced as part of Okta’s Silver sponsorship of the InnovationAus 2021 Awards for Excellence.

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories