Enterprises must evolve amid rising cyber-attacks. Traditional multi-factor authentication does not protect against credential theft, shares Tom Sego, co-founder and CEO, BlastWave. To replace cloud-based SASE, traditional MFA and hardware-based VPN, enterprises can implement phishing-resistant passwordless MFA and simplify the security stack through comprehensive Zero-Trust Network Access.Â
Cybersecurity protection is a moving target. This is the most fascinating yet challenging aspect of the defender community. As adversaries become increasingly sophisticated and persistent, their attack vectors require constant evolution for enterprises to keep pace. Looking at today’s report card, things aren’t great. Data breaches are increasing, with a study from Interisle Consulting GroupOpens a new window showing a 61 percent increase in 2022. Despite increased annual spending, why are attacks only accelerating? I believe it comes down to many factors: the proliferation of billions of IP-connected devices, digitalization, remote work and the increasing complexity of IT, OT, and cloud networks. Those factors expose the original cyber sin: identity can easily be compromised. Â
Why is identity so easily spoofed? Fundamentally, the authentication process relies on credentials, which can be easily phished, socially engineered or stolen. In fact, credential theft accounted for 61%Opens a new window  of data breaches in 2021 (Verizon). Because of the lack of robust protection based on passwords, the defender community added more factors to the authentication process. The move to multi-factor authentication (MFA) is a step in the right direction, but fundamental flaws remain. The recent Uber attack demonstrates how secondary factors enabled hackers to exploit push notification verification mechanisms. SIM jacking is a well-known exploit for circumventing SMS codes as secondary factors. But, usernames and passwords are still at the core of authentication, which are known to be ineffective. If you knew that the locks on your house were easy to pick, would you just add something on top or replace the flawed security control with something that works?  Â
Stop Evolving Attack Vectors with ZTNA
So, where do we go from here? As connected devices proliferate and people increasingly work remotely, the network perimeter becomes irrelevant. Organizations must ensure their assets are protected from users within their network and those coming in from the public Internet. Enterprises need a single Zero-Trust Network Access (ZTNA) solution that creates a software-defined perimeter (SDP) that is defined by where users and devices are located rather than where the network premises is located. SDPs authenticate users and devices before connection and dramatically simplify the security stack. Phishing-resistant passwordless MFA is a vital component of an integrated ZTNA platform that addresses the shortcomings of traditional MFA.Â
Traditional MFA does not reduce human error sufficiently. Although traditional MFA forgoes user-generated passwords, sophisticated hackers can still establish a network beachhead through unauthenticated attack surfaces and security holes, gaining access to valuable assets with a single compromised session-based token or spoofed authentication page. Compared to antiquated security methods that provide a connection before verifying identity, phishing-resistant passwordless MFA eliminates credentials and continuously validates identity before allowing the connection. This is the ideal solution for the real-world application of Zero-Trust in enterprises’ critical infrastructures.Â
In a Microsoft breachOpens a new window , hackers used proxy sites to gain access without continuous re-authentication. In another hack, the second-factor authenticator was a push notification, but 30 percent of executives confirmed the notification when they were not trying to gain access. In yet another breachOpens a new window , hackers used MFA itself as an attack vector path.
MFA’s one-time passwords (OTPs) do not solve the fundamental problems with critical systems access protection. OTPs are vulnerable to service provider insider attacks, hijacked SIM cards and phishing attacks that drive users to a site to enter their password and OTP while their actual account is being compromised simultaneously. These hacks prove that enterprises must eliminate human decisions from the authentication loop without adding complexity or costs to their security stacks. Phishing-resistant passwordless MFA is so simple that no internal user wants to circumvent it, and invisible that no hacker can see it.Â
Nevertheless, enterprises are resisting the implementation of passwordless MFA to replace browser-based authentication, cloud-based SASE and antiquated VPNs that rely on cloud-based proxy architecture that backhauls traffic across a third-party cloud server. There are several reasons, including the perceived complexity of passwordless MFA, uncertainty surrounding the saturated security solution market and limited awareness of passwordless MFA’s benefits.Â
Software-defined Perimeter: Outside the Walled Garden
In one effort to eliminate credentials, AppleOpens a new window is implementing passkeys. Zero-Trust thought leaders advocated this transformation for years. But IT managers will still experience increased complexity and costs if they eschew passwordless MFA that integrates across single sign-on (SSO) identity managers and multi-vendor environments. Passkeys work well in a single “walled garden†operating system such as iOS or Android, where the user accesses applications explicitly tied to the platform. But passkeys alone are inadequate for secure remote access across multi-vendor environments such as AWS, Azure, Google Cloud and Kubernetes clusters. A partial solution falls short in the evolving threat landscape. To implement true Zero-Trust and address the rising complexity of IT, OT and cloud networks, enterprises need passwordless MFA that integrates seamlessly with multi-vendor environments as part of a single ZTNA solution.
See More: Authentication in Education: Why Is It Important?
Addressing Enterprise Pain Points by Eliminating Passwords
Spoofability is a primary pain point for IT managers and CISOs. To reduce spoofability, phishing-resistant passwordless MFA implementations use QR codes generated by the security platform’s authentication server, which a mobile authenticator, using a hardware-based private key and biometric confirmation (e.g., facial recognition, fingerprint, etc.), then validates. Passwordless MFA controls both sides of this handshake, so the user’s camera won’t recognize a spoofed QR code. Camera phones can still read malware in malicious QR codes without this built-in authenticator.Â
Digital certificate management is another encumbrance. Passwordless MFA verifies identity without the need for digital certificate management or cloud-based exchanges. Identity is the lynchpin of secure remote access, and enterprises need passwordless MFA that continuously verifies identity through FIDO 2 keys or biometrics, then permits a connection. These private keys are stored in a secure enclave of the user’s mobile device. Eliminating a choice of actions greatly reduces the risk of phishing resulting from human error. Phishing-resistant passwordless MFA, backed by high-performance, peer-to-peer architecture, is a vital component of a ZTNA solution because it takes human decisions out of the authentication loop to address the underlying factors of cyber-attack and minimize the blast radius while retaining high-performance speeds.
Comprehensive ZTNA with Phishing-resistant Passwordless MFA
With many cloud-based SASE products on the market, enterprises should consider replacing their MFA with a ZTNA platform that integrates phishing-resistant passwordless MFA, high-performance, peer-to-peer architecture and built-in micro-segmentation to simplify firewall and VPN management. An ideal ZTNA solution should encrypt transport and eliminate the primary ways that hackers establish a network beachhead while retaining high performance. Due to backhauling and concentrating traffic through shared gateways, many cloud-based SASE products do not provide adequate speed.Â
While many organizations have moved from traditional hardware-based VPNs to cloud-based SASE, these latter products still cause performance bottlenecks, leading to dropped connections, subpar performance and poor user experiences. With cloud-based SASE, CISOs must purchase an additional authenticator. There is an implied increase in the surface of attack because these products route all traffic through a cloud service provider, providing hackers with a single point of failure to achieve lateral movement through a network.Â
To protect against increasingly sophisticated, persistent threat actors, enterprises should implement ZTNA with phishing-resistant passwordless multi-factor authentication that removes human decisions from the authentication loop and simplifies their security stack by creating a software-defined perimeter.Â
How are you building a software-defined perimeter to become more cybersecure? Share with us on  FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .
MORE ON MULTI-FACTOR AUTHENTICATION:
- 4 Reasons Why Multi-Factor Authentication Should Be Deployed Across the Enterprise
- Five Reasons Why Switching to Multi-Factor Authentication is the Need of the Hour
- Deep MFA: A Smarter Way to Protect Backups from Ransomware Attacks
 Image Source: Shutterstock