Modern Authentication
Modern Authentication is becoming a key element in IAM security, as well as a foundational pillar of Zero Trust security. More than 80% of all data breaches start with a compromised or stolen identity, according to the Verizon 2021 Data Breach Investigations Report. While traditional authentication continues to play a key role in reducing data breaches, it needs to be enhanced for the demands of today’s remote work economy and the evolutions that have brought us into the digital transformation. Modern Authentication is complementing legacy authentication as the way to not only verify a user’s identity but maintain a zero-trust environment, so they can only access what they need while maintaining security and convenience.
Let’s look at the advent of Modern Authentication and what it means for the IAM space.
The Challenge of Legacy Authentication
What is legacy authentication?
Legacy authentication is primarily authentication that relies on legacy protocols such as Kerberos and RADIUS to protect the traditional network perimeter. Legacy authentication was not designed to support authentication to cloud and web-based services and apps, which rely on modern protocols such as SAML and OICD. Legacy authentication is the traditional way of authenticating, using only a username, password, and IP address. It is typically used in HTTP-based. Once authenticated, the user can access all systems, protocols, and information protected by that password.
What are the problems with legacy authentication?
Legacy authentication may sound effective and efficient – and it has been effective in protecting traditional on-prem network perimeters. But behind an uncomplicated login process lie serious concerns.
- Passwords are weak. Many are still using “password” or something easily guessed, like an email account. Also, many passwords have been compromised in highly publicized breaches and are now floating around dark web forums – for sale or free. And while good security hygiene dictates you should not reuse your password across platforms and applications, many do.
- Users face authentication burnout. As devices proliferate, legacy authentication can be burdensome. As Asaf Lerner, IAM Market Owner at Thales, says: The multitude of end devices, locations, applications, and roles means that a single user will likely need more than one way of accessing the range of apps they need throughout their day. The challenge now is to effectively support multiple user authentication journeys to achieve secure remote access without burdening your end-users.
- Legacy authentication can’t keep up – especially in the cloud. Protocols like RADIUS-based Multifactor Authentication (MFA) have their limitations: they’re great for on-prem legacy apps residing in data centers, but what do you do for the cloud? Today’s complete end-user journey often leads to or through off-prem data centers, and access controls like MFA often don’t meet the authentication needs of cloud-based apps that rely on SAML, OICD, and OATH.
- And the biggest problem is that legacy authentication is static. It authenticates the individual at a certain point in time and once authenticated, the person can access all systems and data they are entitled to. There are no limits or controls, and the process isn’t risk-based. What happens if the same person changes location or network? How can we verify their identity continuously beyond any reasonable doubt? How do you enable multiple user authentication journeys without disrupting the user experience? These are the problems Modern Authentication solves.
Modern Authentication and Why We Need It
What is Modern Authentication?
Modern Authentication is an umbrella term for a multi-functional authorization method that ensures proper user identity and access controls in the cloud. Thales says this includes:
- The use of modern federation and authentication protocols establish trust between parties. These include SAML, OICD, and OAuth.
- The ability to make continuous risk assessments and enforce access policies, leveraging evolving standards such as CAEP.
- Reliance on new authentication methods such as passwordless, Fast Identity Online (FIDO), biometrics, and adaptive authentication.
Modern Authentication is based on the following tenets:
- Continuous Authentication: This allows a user’s journey to be authenticated from start to finish, such as during an online banking session or ATM transaction. This involves a risk engine gathering data on the user (location, device, keyboard cadence) and analyzing it against how they normally act to verify their identity in real-time.
- Adaptive Authentication: This type of authentication builds off what is already known about the user to “shortcut” the verification process by allowing those who fit a low-risk profile to enter and providing additional requirements to those who don’t; for example, a login attempt in Alaska when all employees are in Denver. Stricter requirements may also be asked of those with access to more sensitive information.
- Attribute-Based Access Controls: NIST says access is determined “by matching the current value of subject attributes, object attributes, and environment conditions with the requirements specified in access control rules”. In other words, the characteristics surrounding the user must match those within the access control rules.
Why do we need Modern Authentication?
Authenticate in the cloud.
Modern Authentication spells the difference between authenticating to on-premises vs. cloud apps. We need it because traditional authentication protocols such as RADIUS were developed for traditional legacy apps and networks, but cannot be used to federate between IDPs and cloud apps. Also, the use of adaptive authentication cuts authentication fatigue from users having to log onto dozens of cloud services. MFA by itself, while secure, would be too burdensome.
Role-based access controls.
Legacy authentication is effective at easily authenticating the end-user but, in doing so, gives unlimited access to whoever has the key. Modern Authentication protects the cloud by defining what those users can do once inside and where those permissions end. It customizes user-based security controls across platforms and streamlines your access approach.
In addition to those benefits, Modern Authentication is also:
- Customizable – Access policies can be fine-tuned to a user’s needs and the sensitivity of the data being protected.
- Streamlined – Admins configure all policies at one centralized location (the identity provider). This beats configuring access controls for all apps separately and reduces the possibility that one got missed.
- User-friendly – The identity provider acts as a hub, allowing users to access multiple systems using minimal apps. And it’s convenient because it combines the simplicity of Single Sign-On (SSO) with the granularity of conditional access, allowing for multiple user authentication journeys.
What are the protocols supporting Modern Authentication?
The average employee switches critical applications over 1,000 times per day, and Modern Authentication leverages these time-saving protocols to create a layered, secure, and convenient alternative to basic username/password systems.
SAML. Security Authentication Markup Language (SAML) is used to verify ID and authenticate. It connects you (the identity provider) to the service provider (your office network) by making you correctly verify your credentials (username/password).
OICD – OpenID Connect (OICD) is an authentication layer added over OAuth 2.0 (an authorization protocol). This allows developers to offload the authorization process and responsibility to a trusted agent – in other words, the “Login with Facebook” approach that validates you for other sites.
WS-Federation. Web Services Federation (WS-Fed) is used to verify ID and authenticate across web-based services, allowing you to use Single Sign-on, so you can stay authenticated within different applications within the same browser. Active Directory is one implementation of WS-Federation.
OAuth. Open Authorization (OAuth) authorizes (or defines) what a user can do once authenticated. If SAML and WS-Fed are the keys to the car, OAuth represents the rules of the road. For example, using OAuth allows you to sign in to Google and still access compatible sites like Salesforce, Marketo, and Box.
Modern Authentication: Enabling Multiple User Authentication Journeys
The proliferation of cloud and hybrid models combined with the increase in cybercrime has made securing user identities and sensitive information more important than ever. However, one size no longer “fits all”, and legacy authentication can no longer keep up with increasingly complex, cross-platform access demands. Adopting an Identity and Access Management (IAM) strategy with Modern Authentication is key to securing multiple user authentication journeys within your growing ecosystem. An IAM strategy based on Modern Authentication not only allows you to keep track of who accessed sensitive cloud-hosted information, but what information was accessed and how they were verified – while providing custom, role-based access across platforms.
The right access management service can help implement an IAM strategy that will give each user within your organization the role-based privileges they need. By using state-of-the-industry Modern Authentication technologies like MFA, Cloud Single Sign-On (Cloud SSO), and FIDO2, you can achieve a permissions-based, zero-trust model that secures multiple user authentication journeys in the cloud – or within any environment.