My New Year’s Resolution: Going Passwordless!
What is your New Year’s resolution for 2022? Well, it is that time of year again! My resolutions are not necessarily new, but a continuation of several that I have made in prior years. Eat healthier foods, lose weight, and save money are the ones that immediately come to mind. Another best practice that I started several years ago was to adopt a passwordless authentication initiative for all my internet connected personal devices. Fortunately for me, my company began enforcing zero sign-on authentication along with deploying a multi-layered anti-phishing protection system several years back. Additionally, we made the transition to using stronger authentication factors like inherence – specifically biometrics – and possession, which was a lot easier than I anticipated.
Eliminating passwords just makes too much sense as it raises your company’s Zero Trust security maturity level by removing the most common root cause of data breaches. This is more important than ever as 2021 has been a record-setting year for data breaches, and according to the Verizon 2021 Data Breach Investigation Report (DBIR), cybercriminals specifically sought out credentials as the most common data type in 61% of all breaches because it is the gift that keeps on giving. Also, with the resurgence of the Pegasus spyware that now exploits zero-day vulnerabilities in common apps like iMessage, FaceTime, Safari, WhatsApp, and others, stolen data – specifically credentials – allow attackers to gain a foothold onto a compromised device without the end user knowing. This privileged data can then be used for lateral movement onto the corporate network, data center, and cloud systems in search of other high value assets, resulting in a ransomware or an advanced persistent threat (APT) attack.
How can Ivanti help? Ivanti’s Zero Sign-On (ZSO) can be added onto your company’s passwordless authentication solution at any time. Contextual conditional access policies can be implemented to grant or deny access not only based on a trusted user, but also the trusted device, app, network (location), and time. For remote desktops, ZSO’s FIDO2 (Fast IDentity Online 2) solution can be enabled by using your iOS, iPadOS, or Android mobile device as an analog for the security key to securely access your Windows or Mac laptop, and then seamlessly access your Microsoft 365, Google Workspace, Salesforce, and other cloud-based work resources in a single sign-on (SSO) deployment within the Everywhere Workplace.
FIDO2 is the most secure passwordless identity authenticator option available, especially if it is used in a multi-factor authentication (MFA) system to securely access your digital work resources and services. FIDO2 leverages the stronger authentication factors, with biometrics as the inherence factor and your mobile device as the possession factor. Newer ZSO features that are being released in January 2022 include Bluetooth Low Energy (BLE) desktop login to Windows and Mac laptops offline without an internet connection (see Figure 1), and support for FIDO2 compliant security keys from Yubico and GoTrust to access your desktop as well as cloud apps (see Figure 2).
So, why is FIDO2 the most secure option available? The most notable is that a password or PIN (personal identification number) is no longer required with FIDO2, which adds more security. Also, the cryptographic (public key) credentials used to log in to websites and online services across the internet with FIDO2 are unique. This ensures your online privacy and adds confidentiality to your session. Your personal information remains on your mobile device and is never transmitted over the internet or stored on a server. This immediately eliminates the threat of phishing and credential theft. Additionally, your built-in biometric scanner within your mobile device, using either your fingerprint or face to validate your identity, is frictionless and very convenient.
FIDO2 is a component of the Ivanti Access platform which requires Neurons for Mobile Device Management and Zero Sign-On (ZSO). Ivanti recommends a defense in depth zero trust security strategy to combat today’s sophisticated threats with additional solutions that include Neurons for Unified Endpoint Management (UEM) and Mobile Threat Defense (MTD). MTD provides multiple layers of protection against device-, network-, app-level and phishing attacks. Neurons for Secure Access (nSA) and Neurons for Zero-Trust Access (nZTA) add the next-generation software-defined perimeter (SDP) secure remote access solution, and Neurons for Patch Intelligence that now adds the RiskSense risk-based vulnerability management (RBVM)
solution to the security patching process.
With credential theft so rampant on the Internet and the invasive Pegasus spyware out in the wild today, it’s no wonder that exploits like ransomware are growing dramatically. The solution is to place as many impediments as possible in front of malicious cybercriminals, increasing the chance that they will give up and seek out other targets which lack the proper security controls. Ivanti provides the robust toolset to help thwart today’s sophisticated cybercriminals. Now that is a New Year’s resolution, we can all get behind and support!