An overwhelming majority of cyberattacks are based on stolen and misused credentials. Passwords are susceptible to breach, theft, and attack. I often say, attackers no longer need to break in, they simply login. The 2021 ForgeRock Consumer Identity Breach Report revealed that in 2020 attacks involving usernames and passwords increased by 450% over the prior year, which translates to more than 1 billion compromised records in the US alone. A key vulnerability is valid credential misuse, which is the source of so many of these attacks. ForgeRock and Beyond Identity have teamed up to address this problem.
Organizations have tried to deal with this threat with multi-factor authentication (MFA). While MFA is more secure than a simple username and password, it does not slam the door on credential attacks, and recently it has opened the door for other attacks. If a password or shared secret is one of the factors, then no plurality of authentication options will fully protect you from credential theft. We also should not forget that MFA creates significant user friction, which has limited its penetration within organizations. 451 Research estimates only about 50% adoption, while Forrester claims 70% of organizations still rely on a password-centric authentication approach.
This has generated increased interest in passwordless authentication. But we are quickly confusing the market with the variety of different passwordless claims. Most solutions focus exclusively on the user experience by simply avoiding the user from having to enter a password. The password still exists, which means the system is still susceptible to attack. Many passwordless (or is it more appropriate to say password-less) approaches also create user friction with the need for a second device or by taking other steps outside the typical authentication process. This has led to limited adoption and the continued spread of credential-based attacks that plague our industry.
With a broader array of users accessing a wider variety of resources across public and private clouds - utilizing a combination of personal and corporate devices - it has led to a greater focus on the notion of identity as the new perimeter. I believe that even this notion of a perimeter is wrong. A perimeter implies the idea that things inside the perimeter are trusted while those outside the perimeter are not. Authentication should no longer be a one-and-done event where once authenticated, you are in and free to do as you will.
It’s clear we have to move to a modern approach that eliminates the password altogether, while enabling continuous risk-based authentication founded in the concepts of Zero Trust. We are excited to report that Beyond Identity and ForgeRock are working together to help organizations along this journey with strong authentication that eliminates passwords while providing the building blocks of Zero Trust.
At Beyond Identity we eliminate the password altogether. Leveraging battle tested and proven technology of X.509 certificates and TLS encryption, we extend the chain of trust to include the individual and the device. Beyond Identity uses a private key securely stored in a secure enclave or Trusted Platform Module (TPM) on endpoint devices. The TPM signs a certificate with the private key that can be validated using the corresponding public key issued from our cloud service—all without any certificate management required. We feel so strongly about the need to eliminate passwords that we offer our passwordless authenticator for free to any ForgeRock customer.
But it goes beyond (pun intended) the passwordless authentication. As a platform authenticator we remove all user friction, without the user needing a second device or a separate application to login. But this brings the additional benefit of assessing the security posture of the device at the point of login - here’s what we look for:
- Is the device jailbroken?
- Is the local firewall enabled?
- Is this device protected by biometrics that are turned on?
- Is this device’s storage encrypted?
- Is the expected security software installed and running on the device (e.g. XDR, MDM or UEM)?
Many Zero Trust initiatives look at identity and device signals as single threaded events that are combined with other factors to create a risk score. We take that a step further by cryptographically binding the identity to the device, looking at them as a whole rather than separate signals. In doing so, we address the two greatest targets of attack – the identity and the device.
Beyond Identity integrates seamlessly into ForgeRock via OpenID Connect (OIDC), enabling tight integration without any disruption to your identity infrastructure. Working together we can bring this strong level of authentication to the masses. Join us, and see how together we can start your Zero Trust journey with the right building blocks and ForgeRock’s sound identity-based architecture.