User and device authentication is a foundational element of an effective zero trust architecture. That’s because zero trust, a cybersecurity architecture that is recommended by the National Institute of Standards and Technology (NIST), ISO Standards, and others, is built on the premise that the identity of any entity on your network should be continuously verified through multi-factor authentication (MFA).
Why focus on authentication in a zero trust framework? Securing access to your resources, no matter what the user or device is accessing, is critical because it lays the foundation for a zero trust environment. The premise is to “never trust, always verify.” If you don’t protect the gateway to your resources and applications, bad actors are able to enter your systems and do as they wish.
Zero trust authentication helps mitigate the risk of a breach by ensuring only approved users and devices are accessing your resources. Zero trust policies also seek to limit lateral movement within the network if a threat actor gains access by continuously validating any user who interacts with your digital assets.
Let’s explore how you can optimize your zero trust program—without impacting productivity.
Authentication is foundational to zero trust
NIST outlines the core concepts and requirements of zero trust authentication, stating, “The system must ensure that the subject is authentic and the request is valid,” and “This implies that zero trust applies to two basic areas: authentication and authorization.” The requirements go further by calling specifically for phishing-resistant MFA.
NIST calls specifically for phishing-resistant MFA during the authentication process. Your MFA should answer the following questions:
- What is the level of confidence in the subject’s identity for this unique request?
- Is access to the resource allowed given the level of confidence in the subject’s identity?
- Does the device used for the request have the proper security posture?
Five key zero trust authentication requirements
To answer these three questions, you’ll need to enact specific measures to ensure credentials cannot be obtained by threat actors, and to continuously verify the identity and cyber health of users and their devices.
Here are five authentication requirements that will allow you to better protect your organization from data theft by aligning your MFA with ZTA standards.
1. Use phishing-resistant MFA
NIST specifies that a zero trust architecture cannot contain any authentication factors that are shareable through electronic means or via cell phone—one-time passcodes, SMS codes, and email links. These factors are easily compromised by threat actors who gain access to the devices and accounts receiving the code. In September 2022 alone, numerous high-profile incidents highlighted the importance of moving beyond legacy MFA.
Fortunately, you can avoid these types of breaches by choosing to institute a zero trust architecture which includes an authentication solution that uses cryptography to bind the user’s identity with the device, eliminating all phishable factors from the process.
2. Validate device security controls
User identity is only one part of the zero trust equation. It’s equally important to verify that the device being used to connect to your network meets your organization’s security requirements for accessing specific data, applications, or resources. If the correct security tools are not installed and active on the device, it is best to deny access until the device meets your requirements.
Using an MFA solution that collects device settings mapped to your security policies helps you streamline your zero trust authentication implementation by validating the security posture of the devices connecting to your network.
3. Assess continuously
Circumstances are always changing, data is constantly flowing, and what was true an hour or even five minutes ago may not be true now. Therefore, it’s critical to continuously verify that the security controls remain active throughout a connected session. Never trust, always verify. That is the motto of zero trust authentication. MFA tools that validate security controls at regular intervals help you maintain the ongoing measures required for zero trust authentication.
4. Use a risk-based policy engine
Intelligent authentication decisions go beyond the user simply entering the right credentials. Seeing the whole security picture from a zero trust perspective requires a risk-based policy engine to verify device security.
With the right technology, you can access native risk signals from the device itself as well as integrated risk signals from EDR and XDR security solutions like Crowdstrike and Zscaler and ZTNA and SASE solutions, such as Zscaler and Netskope. As an example, say you have contractors who are using their own devices. If a member of that group is trying to connect with an iOS device that is jailbroken, your risk-based policy engine can automatically deny authentication of that device.
5. Integrate MFA with your security ecosystem
Integrating your security stack so its components communicate effectively with one another is a great way to amplify existing cybersecurity investments and strengthen your overall security posture. Choosing a solution that integrates with an extended detection and response (XDR) solution, like Crowdstrike Falcon, provides access to a key endpoint-level risk signal that drives intelligent authentication decisions via policy directives.
We recommend using an MFA solution that leverages zero trust network access (ZTNA) integrations like Zscaler’s Private Access and Internet Access. The integration will help you ensure all connected devices meet your organization’s security requirements before and during an active session. These tools automatically log out non-compliant devices and allow them to re-authenticate only when in alignment with your security policy.
How Beyond Identity helps
Beyond Identity is a frictionless MFA solution that helps organizations implement the key authentication elements of the zero trust framework. By cryptographically binding user identities to devices, Beyond Identity creates a passwordless MFA process that is phishing-resistant and won’t slow down business operations. And with XDR and ZTNA integrations like Crowdstrike Falcon and Zscaler Private Access and Internet Access, Beyond Identity delivers a host of risk signals that help you boost your security posture and implement risk-based policies.
Ready to learn more? Book a demo today.