Modern Authentication is the Word on the Street
A few months ago, I attended the RH-ISAC Spring Summit 2024 to discuss all things Identity and Access Management (IAM) with practitioners at companies of all sizes. The best part of these interactions was the pure joy and pride these experts had while talking about their identity programs- both current and future plans. While the efforts discussed varied in size and scope they shared one unsurprising point: all efforts centered around the user experience.
The User Experience is Make or Break
While not surprising, the attack surface that adversaries are exploiting is users. In fact, according to the 2024 Verizon DBIR, more than two-thirds of attacks start with social engineering or credential theft. All of the organizations I spoke with understood that a strong, phishing-resistant authentication process was needed, but many were coping with solutions that did not weigh down the ability of staff to be productive and/or get in the way of customer interactions. They also acknowledged that while better than nothing, traditional multi-factor authentication (MFA), like SMS, OTP and number matching are a risk to the primary focus of the front-of-house, warehouse and sales staff. These methods generally require phones, something that is undesirable (from a customer representative perspective) and possibly dangerous (in and around warehouses). A better solution that some attendees, as well as many of my personal contacts in this space, have invested in is a public key infrastructure (PKI) solution. This leverages locally deployed certificates to devices, or certificates stored on external devices like USB dongles or smart cards.
What are PKI Solutions?
These solutions fall under two broad categories, the aforementioned Certificated-based Smart Card or FIDO (FIDO goes by several names, including WebAuthn and passkey). Passkeys are a new name for FIDO2 passwordless-enabled credentials, a standard that is replacing passwords and phishable MFA logins with more secure passwordless experiences.
There are different types of passkeys: synced and device-bound which you can learn more here) Both solutions allow flexibility and ease of use for end users without a disrupting break in workflows. The two technologies are robust and trusted by the larger IAM landscape. They differ in infrastructure needed to support them:
- Smart Card, like traditional PKI solutions, require organizations to manage their own certificate authorities (CAs).
- FIDO solutions hand most of the certificate creation and management work off to the authenticator, meaning that Relying Parties (RPs) or Identity Platforms (IDPs) only need to associate public signatures to user accounts.
Both smart card and FIDO solutions can be secured with authenticator specific PINs, and both open the door for passwordless workflows.
According to the practitioners at the conference, some of the most visible benefits of using phishing-resistant solutions is the large decline in helpdesk calls for password resets and account lockouts. While no attendee specifically called it out, another common advantage discussed by customers in other verticals is the ability to better associate specific sessions with specific users, since a physical device is harder to share then a password or OTP code app.
Risk Mitigation Strategies
Deploying modern authentication technologies, including certificate-based smart cards and FIDO2, is one of the best steps an organization can take to reduce a huge portion of risks. In situations where legacy architecture prevents direct integration with modern phishing-resistant authentication systems, jump-boxes are one of the best alternatives. Some suggested guidance:
- Create a hybrid approach of solutions leveraging the strongest phishing-resistant methods to protect crown jewel systems
- Use phishing-resistant MFA to access all IT systems, for all privileged users and gradually widen the adoption
- Strive for phishing-resistant MFA that moves with users no matter how they work across devices, platforms and systems.
- Place purpose-built systems that support those authentication methods in front of logic controllers and legacy systems and close monitoring are good solutions for these issues.
- Limit users’ access rights to the minimum required to perform their role
- Conduct an annual employee security awareness training and continuous learning
The Benefit of Modern Strong Authentication
During my conversations, two stories from retail and hospitality practitioners about how they are embracing stronger MFA strategies stood out to me:
- A global retailer discussed how they leveraged FIDO for back office technology and knowledge workers, but used smart cards for their sales teams, as they could force automatic desktop locking via simply removing the card from the reader.
- Another mentioned that they relied on a device-bound certificate (using something like Windows Hello for Business) for Desktop and SSO since the network infrastructure allowed close monitoring between systems on the sales floor and the supporting back office systems, while relying on additional authentication methods for non-sales floor staff.
These methods fit within the PCI DSS standard (learn more about PCI DSS v4.0.1 here), since that standard has a carve out for single line Cardholder Data Environment (CDE) access. Both of these implementations followed the general process outlined in our Best Practices guide, where they began by investigating and documenting systems, determining their overall use cases, kept user experience at the forefront, and worked through recursive pilots (each building on successes and lessons learned of the prior.)
Collectively Defending Retail and Hospitality from Cyber Threats
The best part of attending the RH-ISAC Summit is always meeting and talking to attendees, and sharing lessons learned and pitfalls. They provide first-hand insight into what goes on in real world scenarios, and give practitioners the stage for a needed victory lap when rollouts go well and also to learn from others about overcoming challenges. Often, in my role, I deal in abstracts and hypotheticals, but being out in the field and hearing the stories of successful programs really tells me that collectively we are making a difference in defending this sector from cyber threats.
When strengthening and modernizing your authentication strategy in order to meet the evolving threat landscape, keep in mind user experience as users will need to be able to continue to practice strong behaviors. The strength of your strategy depends on the actual usage of it in order to avoid opening your organization up to attack because users simply find ways around onerous authentication processes.
If you are interested in learning more check out this white paper on securing retail and hospitality. I’d also love to help celebrate your Identity Program victory by highlighting your success or help dig deeper into modern phishing-resistant authentication, and all things identity. Please connect with me at [email protected].
