Such user behavior opens the door to password or credential stuffing. After all, once an attacker has captured the relevant login information for one site, it’s easy to gain access to a wide variety of services with the help of a single password.
This desire for convenience has also led to the increased use of federated identity providers (IdPs). Federated IdPs link a user's identity across multiple security domains, each supporting its own identity management system. When two domains are federated, the user can authenticate to one domain, and then access resources in another domain without having to log in a second time. While federated IdP offers advantages for the enterprise and is great for usability, it does introduce some risks, such as unauthorized access, especially if the services granting access to users are misconfigured or compromised in any way.
Another option for authentication is to go passwordless. PKI-based methods use a one-time certificate to verify the identity of the user and thus can dispense with classic passwords so that the user experience is taken into account. However, the infrastructure behind this authentication concept is complex and costly to operate. Other password-free approaches, such as SQRL, have a hard time getting their way around the business environment because this public domain method cannot provide the required support structure.
The adoption rate of a passwordless approach leaves something to be desired because all applications would have to support this passwordless model, and that’s a challenge, especially in the area of long-lived applications. Modern, cloud-based solutions, therefore, rely on SAML or other token-based authentication methods, such as Kerberos or Open ID Connect.
After replacing the classic password as the access methodology for a variety of services with multifactor authentication, companies should increasingly consider how to ensure secure access to applications that move to the cloud. The more applications migrate to modern cloud environments, the more we must emphasize the issue of cloud-based access control mechanisms. A promising way is to combine password-free authentication with traditional methods.
In connection with the cloud and secure remote access to data and applications that are no longer stored in the corporate network, the term “zero trust” has become another hotly discussed, and sometimes misunderstood, component of user authentication. Skeptics worry that using only one-time authentication, unauthorized users will be able to access approved services. However, Gartner believes that a Continuous Adaptive Risk and Trust Assessment (CARTA) model, which starts with a posture of zero trust, can serve as the foundation for continuous monitoring and assessment of a user’s validity and trustworthiness.
The password’s day has passed. The age of the cloud requires a whole new approach to secure access. Gartner recommends a software-defined perimeter (SDP) solution. SDPs allow teams to establish trust, provide secure access based on context - such as the identity of the user, the device, and more - and provide ongoing monitoring for continuous risk assessment.
That’s a far more secure approach for the cloud and mobile world. And infinitely more secure than relying on users who insist on the same weak password for online