Isn’t Passwordless Identity Management the same as Passwordless Authentication? What does removing a password change about access, visibility, and monitoring? It turns out, a lot if done right.
Subtracting Passwords Can Add Immutable Contextual Data and Drive Risk-Based Auth Decisions
The authentication solution implemented by Beyond Identity replaces passwords with fundamentally secure asymmetric-key cryptography (X.509 certificates). The all-important private key is stored in the secure enclave (TPM – Trusted Platform Module) and never leaves the device. But here is where this goes beyond just a highly secure authentication method.
With Beyond Identity’s architecture, a signed package (JWT – JSON Web Token) containing vital device security posture is sent along with the personal certificate in each authentication request. This device security posture data, which is collected at the exact time of login, can be leveraged for adaptive risk-based authorization decisions. Thus, authorization becomes a granular, point-in-time decision that factors the risk of the accessing device at the time of authentication, coupled with the importance of the serving application, or even an elevated-risk transaction within a session. For example, a healthcare app can check that disk encryption on the endpoint is still active, or in the context of a banking application session, in which it is riskier to move money than to check a balance, a re-auth and further scrutiny of the endpoint security posture may be prudent.
Passwordless Identity Management Provides Better Security While Reducing User Friction
More granular session timeouts are recommended by OWASP and NIST to prevent brute force attacks on tokens. The decision on how long to set token timeouts typically balances the user dissatisfaction of reauthenticating along with yet another multi-factor challenge, and the security benefit of setting a short enough session timeout to reduce the window of opportunity for attackers.
With a passwordless identity management system, the decreased session times (as low as zero) come with zero added friction because users do not have to enter/re-enter anything. Even better, when the system seamlessly re-authenticate behind the scenes, it provides a wealth of telemetry data about each transaction. As a result of the increased frequency of authentications, more signals are captured to provide a very accurate picture of the security of your identity-based perimeter.
The data that is collected from every authentication improves the efficacy of several departments within the organization.
In a cloud environment, identity is the new perimeter. Creating a zero-trust authorization environment is simple when you know everything about the individual attempting to access each application each time they attempt to access (since there is no longer a need for long session tokens to reduce user friction). With this data, policies can be much more granular and access can be much more tightly controlled.
The immutable record of every authentication coupled with the security posture of the requesting device is invaluable for compliance and audit teams. It removes the complication of back-end data manipulation to consolidate and correlate user, device, and resource data.
Fine-grained details about each accessing device adds more accuracy to anomaly detection policies and provides robust data for threat hunting and incident investigations.
No passwords means no password resets requests. Also, with Beyond Identity, users can manage their own identities (within policy limits). Thus, users can self-enable their own set of devices or restore credentials when they lose a device, all without IT intervention.
- Onboarding date and time
- Number of devices enabled
- App version
- Device model
- Password protection status
- Biometric enablement status
- Secure enclave status
- Device operating system
- Gatekeeper enablement status
- Firewall enablement status
- Hard drive count
- Hard drive encryption status
- And more
Passwordless authentication is a giant step forward for the industry. In addition to making users happier and reducing password reset costs, it removes passwords from the equation altogether. For enterprise CISOs this takes a giant target off of your back - with no passwords to steal a key attacker motivation is gone. Eliminating passwords removes prominent attack vectors–reusing stolen credentials to gain access and multiple other password-based attacks.
But why stop there. A passwordless identity management solution, like Beyond Identity, provides all the benefits of passwordless authentication plus substantial risk reduction (adaptive risk-based authentication/authorization) and cost reduction. Passwordless identity management is a cornerstone of a ZeroTrust model–especially for modern network architectures where the identity has become the new perimeter.