How Does Passwordless Authentication Fit Within a Zero Trust Security Model?

zero trust security model portnox

Will 2023 be the year we finally eliminate passwords? For the last decade, cybersecurity experts have both been pushing for and predicting that a passwordless future is just around the corner. However, while passwords have been declining in recent years in favor of more robust forms of authentication, an entirely passwordless future has yet to materialize. But that all could be set to change as companies move to adopt a zero trust security model. Zero trust does away with implicit trust and requires all users and devices, whether inside or outside the corporate network, to be continuously authenticated and authorized. And critically, zero trust is also starting to mean zero passwords. But why?

Let’s dive into why passwordless authentication is important and how it fits into a zero trust security model.

What is Passwordless Authentication?

As the term suggests, passwordless authentication is a way of verifying a user’s identity with something other than a password. Common types of passwordless authentication include email-based or SMS-based one-time codes, multi-factor authentication, and biometrics. Biometrics are increasingly favored over other types of passwordless authentication because they’re virtually impossible for hackers to imitate, and they reduce user friction. Some examples of biometric authentication include retinal scans, voiceprints, facial recognition, fingerprint scans, and biometric mouse movements.

Why Use Passwordless Authentication?

Here’s what it comes down to; passwordless authentication is simply more secure than password-based authentication.

While businesses have relied on passwords for decades, they’re no longer considered a secure way to protect our accounts and corporate networks. For example, 44% of employees reuse passwords across personal and work-related accounts. Moreover, most passwords are extremely easy to guess – the top five passwords globally are “123456”, “Password,” “12345678”, “qwerty,” and “123456789”.

As a result, hackers have long favored password attacks to breach corporate networks or personal accounts. Many different password attack methods exist, but the most common are:

  • Brute-force attacks: This hacking method uses trial and error to crack passwords, typically using lists of common passwords or leaked passwords obtained from the dark web.
  • Surgical attacks: These are a type of targeted attack where the hacker researches the intended victim, scouring their public accounts to find key details like their birthday, favorite sports team, hobbies, names of their children, etc., that the user may use in passwords.
  • Phishing/Social engineering: Here, cybercriminals pose as a trusted entity like a well-known company or another employee and trick the target into sharing their login details via a fraudulent login screen. Other methods include sending emails with a malicious link that automatically installs key-logging malware on the victim’s computer.

But by opting for passwordless authentication, you can eliminate or vastly reduce the risk of falling victim to these types of attacks.

There are also other reasons to move away from passwords. For example, passwordless authentication is more convenient for workers because it leverages something the user has or something inherent to them, eliminating the need for them to remember anything. This also means employees can log into devices faster.

Rising Zero Trust Security Model Adoption

72% of organizations are in the process of adopting zero trust or have already implemented it. Moreover, an eye-watering 90% of organizations say that advancing zero trust is one of their top three IT and security priorities. But why exactly is zero trust becoming so widespread? Adopting a zero trust approach can the cost of a data breach by approximately $1.76 million and offer boosted efficiencies that amount to savings of 40 manhours per week. Moreover, companies that leverage zero trust network segmentation (an element of ZTNA) are two times more likely to avoid critical outages due to security incidents. Undoubtedly, the need for continuous authentication is rising as remote working, and distributed workforces become more common. Zero Trust Network Access (ZTNA) is a critical set of technologies and functionalities here, enabling remote users to access internal applications securely. ZTNA is fast becoming essential for businesses in the modern world.

Can You Have Password-Based Zero Trust?

Yes, and many organizations do. However, cybersecurity experts are now warning that password-based zero trust does not meet the defense demands of the increasingly severe cyber threatscape of today.

Why a Passwordless Zero Trust Security Model Is the Way Forward

Here’s the bottom line. Passwords are not only weak forms of security, but they also make your zero trust program slower, more expensive, and less effective. Passwords require more tools, which drives up costs. Additional tools demand more administrators, new user licenses, and often more training for users and the help desk. All of these factors result in a more expensive security program. Additionally, companies that use passwords in conjunction with MFA often still have security gaps. This is typically because legacy systems or otherwise awkward technologies don’t play well with some MFA tools, leaving specific corporate systems protected only by passwords. There can also be MFA gaps in workstation login, VPNs, RDPs, and VDIs or IoT devices where passwords are the default.

Lastly, there are resource constraints involved with managing robust password-based security. IT and security teams are often understaffed and overwhelmed, and the current cybersecurity skills gap exacerbates this problem. Moreover, rising economic uncertainty puts more pressure on businesses of all sizes to reduce their IT budgets and take cost-cutting measures. In this increasingly severe climate, security teams are feeling the pains of passwords more than ever before. By taking passwords out of the equation, organizations can reduce the labor burden on already over-stretched security workers and give them more time to spend on proactive cybersecurity measures.

Final Thoughts

Credential stuffing may be one of the oldest attack methods, but it’s still going strong today. For example, credential stuffing attacks became so prevalent in the first quarter of 2022 that attack traffic surpassed legitimate login traffic in some countries. And equally concerning, the first half of 2022 saw more attacks against MFA than any previous year. Simply put, cybercriminals are increasingly targeting our traditional defense measures, namely passwords and MFA. As a result, companies embarking on their zero trust journey need to move away from passwords and weaker forms of MFA in favor of more robust passwordless authentication.

Try Portnox Cloud for Free Today

Gain access to all of Portnox's powerful zero trust access control free capabilities for 30 days!