Authentication best practice within a Zero Trust strategy

For CISOs around the world it seems at every turn, they are being told to implement Zero Trust. By Nic Sarginson, Principal Solutions Engineer, Yubico.

It’s true that the principle of Zero Trust might be right for this moment; after all, work-from-home and hybrid work policies are becoming the norm, as are cloud applications. However, many organisations may struggle with the reality of what’s involved with a Zero Trust framework or infrastructure. Having protected the boundary for so long, it takes a change of mindset to verify every connection attempt.

At its core, Zero Trust should start with strong user authentication and the chosen authentication method should not hamper user productivity. Therefore, organisations need to look first at how users establish their identity and consider the level of trust that can be attributed to that mechanism. The truth is, if authentication is by passwords alone, there is no assurance of security, no matter how robust the rest of the Zero Trust strategy is. Yet despite this, a recent survey of work-from-anywhere cybersecurity practices at companies in the UK, France and Germany revealed that less than a quarter (22%) of respondents had implemented two-factor authentication (2FA). That’s a problem for Zero Trust, because going forward with such a model depends on having a strong level of trust in the authentication mechanisms of every user, from every device.

Strong authentication needs to be a foundational building block of the Zero Trust strategy. With that in mind, what are the key strong authentication best practices organisations need to adopt in order to ensure Zero Trust is correctly supported?

1. Choose strong authentication based on open standards

By decoupling authentication from the identity and access management (IAM) platform, and by choosing an authenticator based on open standards, authentication will work with a wide array of IAM solutions. That way, users are empowered to be productive on a new IAM system, or non-federated access point, using the same authenticator within minutes instead of weeks.

2. All accounts must be considered

Service accounts, as well as user accounts, need to be heavily protected, monitored, and properly scoped. Too often, these types of accounts are protected with static passwords. That isn’t sufficient, but unfortunately a number of IT and other systems have limitations on authentication options. However, they can often make use of cryptographic certificate-based authentication – private keys that should be stored in hardware security modules (HSMs), dedicated security hardware that come in different sizes, from large physical appliances to small USB devices.

3. Cryptographically-based signing is key

It has been possible for quite some time to digitally sign electronic documents and personal authenticators and inexpensive HSMs make this easier and stronger. Cryptographically-based signing, backed by hardware, ensures that content was in fact created by the signer.

4. Validate devices

Strong authentication, such as that provided by a hardware device, supports a Zero Trust approach but it is still very important to validate the device itself to ensure it is not compromised. Attestation

validates that the authenticator hardware is from a trusted manufacturer and that the credentials generated on it have not been cloned. Attestation is a key pair that is burned into the device during manufacturing, providing important details such as manufacturer and device model. Attestation concepts are built into the FIDO standard and some vendors also include attestation capabilities for smart card deployments.

5. Remember risk

A trusted strong authentication approach allows for step-up authentication based on risk. This protects the user and the organisation while increasing productivity. Real time risk-based access policies, such as those implemented in a Zero Trust framework, are based on signals and risk scores. A strong authentication solution that is hardware-based, and highly trusted, can elicit a high trust score, thus allowing for higher privileged access.

6. Purpose build phishing resistance

The earlier cited survey into working from home cybersecurity tells us that, where companies have implemented 2FA, mobile authentication apps and SMS one-time passcodes (OTPs) are the most popular.

It’s true that these basic forms of 2FA provide higher levels of security than username/password alone, but they are not invulnerable to some threats, such as sophisticated phishing and man-in-the-middle attacks. OTPs via SMS can also fall into the wrong hands as a result of ‘SIM-swap’ fraud, and employees can be tricked into providing them to a would-be hacker if they’re persuaded it’s a legitimate request.

A strong, phishing-resistant authentication solution should be purpose-built. It should also reduce, not add to, authentication complexity. A dedicated security-focused device that is simple to use heightens security without an impact on productivity and also allows for easy and consistent monitoring.

7. Plan for a passwordless future

Achieving secure passwordless login across desktop and mobile requires a rich ecosystem and a consistent framework for authentication. An ecosystem built on open FIDO2/WebAuthn standards is best placed to deliver security and usability, while also satisfying the need for portability, compatibility, interoperability and scale.

Modern multi-factor authentication (MFA) is essential to prevent network access through stolen passwords. Now that the industry is moving away from symmetric based secrets (passwords, OTPs) to more advanced asymmetric solutions bound in physical devices, it’s more important than ever to start with strong authentication if Zero Trust is to become a reality.


By Barry O'Donnelll, Chief Operating Officer at TSG.
The cloud is the backbone of digital cybersecurity. By Walter Heck, CTO HeleCloud
By Milou Lammers, Director of Compliance, iland.
By Brett Beranek, Vice-President & General Manager, Security & Biometrics Line of Business at Nuance Communications.
By Michael Queenan, co-founder and CEO of Nephos Technologies.
By Tawnya Lancaster, Lead Product Marketing Manager, AT&T Cybersecurity.
Why businesses need a bigger boat for tackling IaC security By Robert Haynes, SCA & Open Source Evangelist, Checkmarx.
Cybersecurity continues to be a major challenge for companies, with as many as four in ten businesses (39%) reporting cyber security breaches or attacks in the last 12 months. By Richard Slater, Head of Managed Services at Amido.