Passwords have long been a necessary evil. Once organizations began storing important data, they needed a way to verify what users could access, hence the implementation of the password. But attackers soon found ways to steal, bypass, or subvert password-based security measures. 

Today, we know passwords are an insecure authentication method. Hackers are able to breach passwords because it’s easy—people reuse passwords, make them easy to remember (and thus guess), and a myriad of other reasons. As attacks continue to mount and security experts issue ever more dire warnings about the risks of password-based attacks, most organizations still depend on the password to authenticate users.

Attempts have been made to fix passwords—layering on a multi-factor authentication (MFA) is the most often used solution—but the password remains the insecure foundation for first-generation MFA.

The continued existence of the password, combined with the traditional “castle and moat” network security model, leaves organizations open for attack. MFA solutions that use SMS text messages and OTP are easy phishing targets. Recent breaches of well known organizations have proven this.

This is where transitioning to a zero trust security model can help. By following the mantra “never trust, always verify,” organizations can limit potential damage by never inherently trusting a device or a user and continuously verifying device level security controls. Instead of the network itself serving as the perimeter, the user’s identity becomes the perimeter.

As you embark on your zero trust journey, you may consider if passwords fit. The answer is an emphatic no. We'll explain why maintaining password-based authentication is incompatible with zero trust.

Why can’t passwords be a part of a zero trust strategy

Passwords require a degree of trust that the rightful owner possesses the credential. If the person requesting the resource holds the proper credentials, access is granted to all resources permitted for that user’s role. Passwords can be easily stolen and shared for even the most sensitive of resources, which makes them such a bad authentication method to trust because of how hackable they are and how often these credentials are breached. 

On top of this, the security check for password-based authentication happens only once, at initial login. Also, most authentication solutions do not take into account the security posture of the device. 

Zero trust requires eliminating trust of any kind from your environment and implementing the use of continuous authentication because otherwise you are trusting that the person who authenticated a few minutes ago hasn’t turned off their firewall, been a victim of a session hijacking attack, or a number of other scenarios. Passwords don’t fit in that scenario. You can add additional security measures to passwords, but those solutions will not stop attackers and still rely on transitive trust.

First-generation MFA isn’t enough either

Many organizations consider MFA an important security control in preventing data breaches, and it’s certainly better than passwords alone. But first-generation MFA is not zero trust compatible. Any use of a password, even if it’s only stored in a database as a backup account recovery method, puts you at risk.

Like the password, an MFA factor is a one-time event, whether it be a magic link, a texted one-time password (OTP), or a push notification. Zero trust requires device security be continuously reassessed during a session to maintain access to a resource, not just during the initial sign-in.  

Furthermore, traditional MFA factors also rely on a degree of trust that the OTP or magic link has made it to the right person, and they are easy to phish. The Executive Order from the US Government on zero trust put forth the concept of phishing-resistant factors and moving away from them as soon as possible in order to achieve a zero trust security architecture. The elimination of factors like SMS text messages gets organizations one step closer to fulfilling the "phishing-resistant" requirement put forth by the US government. 

While there are secure and unphishable MFA factors, as long as the password is involved, zero trust cannot exist.

Switch to passwordless, unphishable MFA to set the foundation for zero trust

Transitioning to passwordless authentication is a significant first step toward securing your organization, but it isn’t enough to keep your environment protected. You need to layer on unphishable, zero trust MFA to eliminate attack vectors and enhance security. 

What is phishing-resistant MFA? Instead of using factors like OTPs, magic links, or push notifications, factors such as cryptographic keys, local biometrics, and device-level security checks to verify the device are used. It provides unparalleled security to stop hacks and breaches. 

Beyond Identity’s platform was built to provide Zero Trust Authentication. Our robust MFA delivers secure and efficient access while eliminating passwords. Our zero trust policy engine continuously scans for risk signals and can respond based on those signals. We enforce continuous risk-based authentication to identify risks with zero friction for the user. 

Need to implement zero trust authentication that fully eliminates passwords so you can protect your organization from future attacks? Beyond Identity has you covered. Ask for a demo today.