Much has been written about zero trust authentication—a security methodology that trusts no one attempting to access controls by default, even if they are already within the network. So much so that the Zero Trust Authentication concept was launched in 2023, a game changer for how we view the synergies between authentication and security.

Organizations have traditionally used password-based authentication and first-generation multi-factor authentication (MFA) models. Believe the hype: Zero-trust authentication (ZTA) is completely changing the security and authentication paradigm.

Zero trust is gaining momentum in the enterprise. Gartner has projected that 10% of large organizations “will have a mature and measurable zero-trust program in place” by 2026, up from less than 1% today. The impetus? A 2023 Deloitte survey found that 83% of risk leaders cited cyberattacks as a moderate or serious risk.

A critical component of a zero-trust strategy is to extend the role of identity and access management (IAM) to improve cybersecurity outcomes, which Gartner named one of its top cybersecurity trends for 2024. While zero trust eliminates implicit trust in any network connection, IAM only gives the right individuals access to specific resources. “As more organizations move to an identity-first approach to security, the focus shifts from network security and other traditional controls to IAM, making it critical to cybersecurity and business outcomes,’’ the firm said. While Gartner sees an increased role for IAM in security programs, the firm also stresses that security practices must evolve to harden systems to improve resilience.

‍

The 7 Must-Haves for a Zero Trust Authentication Solution

Before deploying a ZTA solution, however, here are seven requirements that will ensure organizations are prepared for today’s cyber threats and risks:

1. Passwordless—the first step is moving to a solution that does not require any passwords or shared secrets because they can be hacked. “Passwords are the leading cause of data breaches, as hackers can easily exploit them through phishing, brute force, or credential-stuffing attacks,’’ writes software engineer Sam Talluri on Medium. Passwordless is a more secure and convenient way to verify user identity, he adds.

2. Phishing resistance—Attackers should not have the ability to gain access to any links, codes, or other authentication factors through attacks such as phishing or adversary in the middle. A phishing-resistant system is comprised of ZTA using modern public key infrastructure (PKI) and fast identity online 2 (FIDO2)- based technology, the latter of which is often referred to as “the latest passwordless authentication standard.”

3. User device validation—This requires that a device is checked to ensure that a user is authorized to access information and applications. Device trust relationships are validated with ZTA, which uses embedded cryptographic hardware.

4. Device security posture assessment—This assessment is done by providing a baseline view to determine whether devices comply with security standards. It does this by checking that appropriate security settings are enabled and security software is active. The ultimate goal of the assessment is to increase the maturity of an organization’s cyber resilience strategy.

5. Multi-dimensional risk signal incorporation—The use of a policy engine to analyze data from endpoint and security solutions that includes user behavior, devices’ security posture, and the status of endpoint detection and remediation (EDR). This is done to assess the risk values of all measurement dimensions.

6. Continuous risk assessment—The concept may seem obvious, but it is worth mentioning as it is a cornerstone of ZTA. Rather than assuming a one-time authentication policy is adequate, all authentications are monitored continuously to flag malicious activity.

7. Integrated with the security infrastructure—Arguably the most important capability of all, your ZTA solution must be able to integrate with the other tools in your security infrastructure to enhance risk detection, respond quickly, and improve compliance reporting. Otherwise, what’s the point?

For a deep dive on minimizing credential breaches and phishing resistance in security solutions, download our Zero Trust Authentication book today and get more details.

About the author: Esther Shein is a longtime freelance tech and business writer and editor whose work has appeared in several publications, including CIO.com, TechRepublic, VentureBeat, ZDNet, TechTarget, The Boston Globe and Inc. She has also written thought leadership whitepapers, ebooks, case studies and marketing materials.