Access Management solutions are all too often fundamentally designed on the premise of a username & password architecture. As a result, usernames & passwords end up limiting the ability of access management solutions to prevent threats well and/or constraint the number of user situations in which they work well to grant access to authorized users and to deny it to adversaries.
Some access management solutions attempt to eliminate passwords from the access security equation to reduce user friction and eliminate downtime due to lost/forgotten/expired passwords.
Eliminating passwords from the username & password equation typically improve speed & availability; on the other hand, it creates additional threats.
Both password-based and password-less access management solutions typically attempt to improve access capability and their security posture with a combination of:
- Multi-Factor Authentication
- Data-driven adaptive authentication
- SSO using cookies & authentication federation.
All have significant security limitations built on the username & password architecture as a fundamental building block in their design.
Multi-Factor Authentication (MFA)
Multi-factor authentication is a method to increase authentication security by requiring users to prove their identity with at least two pieces of evidence that must come from different categories: something they know, something they have, or something they are.
Typically requiring another authentication factor besides a username and password is a common way to add multi-factor authentication. Usually, the industry offers an authentication app that prompts users with a notification to increase authentication security by requiring an additional possession factor. This eliminates some threats, including credential stuffing or attackers guessing a password.
MFA Shortcomings
MFA, however, fails to address the most common cybersecurity threats - phishing and MITM vulnerabilities. With a growing number of companies that depend on cloud services and with the ever-increasing number of data and assets online, hackers have caught up. They are able to gain access and do a maximum amount of theft and damage in a short time.
In 2023, MFA cannot be considered an identity fraud prevention method since it can only shorten the time an attacker is free to access and manipulate confidential data.
MFA also comes at a high price from a usability perspective. Repeated second-factor authentication requests distract end users, who suffer from authentication fatigue – increased stress, reduced productivity, and poorer quality of work.
Data-Driven Adaptive Authentication
Traditional authenticators fail to ensure resource security in various user scenarios, so they strive to "enhance" protection with additional multi-factor protection and/or threat detection through context analysis, also known as "conditional access." This approach, however, also has its limitations.
Adaptive Authentication Shortcomings
Let’s take an example to explain the adaptive authentication dilemma: An enterprise user goes on a business trip to Tahiti. Trying to access resources remotely, an adaptive authentication system detects suspicious login from an unusual location. Such a situation is considered an "anomaly and increased risk", so the authentication system may enforce additional MFA, a security phrase, or another type of additional verification mechanism to increase confidence in the security of the access request. From the user’s perspective, they’re asked to perform an unexpected security task that they may not be able to carry out at the moment; hence the system has no other choice but to refuse access altogether. In "good intentions" of asset protection, users are put in situations that often complicate workflow and limit their ability to access resources when needed. Such UX changes are generally inconvenient, confusing, and, in certain situations, even dangerous.
Single Sign-On (SSO)
SSO is a method where the user/employee signs in once and doesn't have to authenticate every time they revisit a service. SSO methods reflect the need to improve user authentication experience so that users don’t have to log in repeatedly when a particular service session expires. Instead, when login in, the service first tries to see whether a browser from which a user is attempting to log in has a valid SSO cookie and uses the cookie to authenticate the user instead.
SSO Shortcomings
When using a service like Asana, users don’t have to worry about entering their username and password many times a day; the browser repeatedly uses a cookie instead. This effect is a clear usability improvement compared to repeated user authentication, where users must participate actively.
The improved user experience, however, comes at a price – a cybersecurity downgrade. The problem with cookies is that they are more like tickets to a concert than IDs that can be authenticated. Anyone who has a cookie is welcome to log in. With long-lasting SSO cookies, there is plenty of time for a hacker to steal a cookie and then use it instead of the victim. In practice, they are vulnerable to phishing, MITM, or malware attacks – a single-sign-on cookie can be issued to the attacker instead of the actual user.
The side effect of typical SSO has downgraded cybersecurity which creates more space for successful identity fraud and subsequent damage through cyber attacks.
With SSO cookies, there is a spiraling trade-off between usability and cybersecurity – improve one, and the other suffers. The longer a cookie is valid to bypass authentication, the fewer end users are annoyed by the cumbersome authentication process. The side effect is decreasing confidence in identity security since attackers have more time to steal and misuse cookies to gain access.
Federated SSO
Authentication federation is a common method companies use to reduce user friction and integration complexity.
Indeed, with federation systems in place, employees must no longer remember and manage a plethora of usernames and passwords. Instead, companies have a single centralized identity with one authentication mechanism. Users have just one authentication method, which serves as a single key to all applications. This is pleasant to users and gives CIOs more security control over their organization.
Federated SSO Shortcomings
Centralized federated identity systems also attract the attention of hackers, and the single-point-of-failure nature of the architecture demands more robust security measures to ensure a single successful attack doesn’t compromise all company data.
Combining the federation method with SSO has an accumulating effect. SSO risks infuse the federation risk and vice-versa.
Secure Your Access Management with Peig
Peig’s Passwordless Access Platform helps with unifying access management and streamlining passwordless authentication in SaaS, private cloud apps as well as controlled network environments.
Secure AWS, Google Workspace, Microsoft 365, Salesforce, and other SaaS or self-hosted services, and improve your company's remote work business processes.
Peig access is unified with an authentication engine that addresses advanced phishing, MitM, session hijacking, and device manipulation attacks. The passwordless access platform is the best fit for middle-size enterprises that consider their remote work using cloud-native applications critical.