Identity and access management means everything to today’s modern networks, both public and private. Basic authentication, where usernames and passwords have traditionally been the key lines of defense, are no longer sufficient as a means to protect networks and internet applications that are increasingly relying on zero trust security protocol at the edge.
According to a recent Verizon data breach report, 82 percent of breaches involved some type of human element, including social engineering attacks, user errors, or general misuse. That is a primary reason that organizations are turning to a new generation of authentication called modern authentication.
Where Basic Authentication Falls Short
Basic authentication has its roots in accessing internet resources, where easy access for users is paramount. Usernames and passwords are stored in the Web header field in plain text with base64 encoding, using SSL to encrypt the headers and ensure user credentials are kept secure. The problem is that even when more secure HTTPS is used, basic authentication has several drawbacks and vulnerabilities.
- Authentication headers can be seen for each access request, which makes it much easier for a bad actor to capture those user credentials.
- Passwords are usually cached right in the browser, which introduces another vulnerable access vector.
- Basic authentication isn’t able to limit grades of access permission, so one point of access to an application potentially opens up multiple avenues to all the data a user has access to. Users should have access only to the data needed for a particular function, nothing more.
- Fundamentally, usernames and passwords are an antiquated and inadequate method of protecting vital data and information.
Making the Move to Modern Authentication
Modern authentication is a stronger method of identity management that provides more secure user authentication and access authorization. It allows a user access from a client device like a laptop or a mobile device to a server to obtain data or information. Modern authentication lets administrators tailor authentication policy to meet their access control requirements. Admins can configure access policies from a single, centralized location with modern authentication to account for all users, instead of having to configure access for every individual application where network access is needed.
Modern authentication follows a few basic tenets:
Today’s technology users, such as for online banking or ATM transactions, demand a smooth and consistent user journey from beginning to end. Risk engines must analyze a wide range of data on the user, including location, device and even the cadence a user types in a keyboard to verify a user’s identity in real time.
A modern system can use shortcuts to verify user identities by allowing those who fit a low-risk profile to enter the network without adding additional user information. An example would be allowing users from a certain city where an HQ is located to access a network, whereas users from other locations would be asked for more information.
Attribute-based Access Controls
The system matches subject and object attributes, along with environment conditions with the access requirements that are outlined in specific access control rules. User characteristics must match or they are not allowed access.
Modern Authentication Protocols
Modern authentication uses established protocols that are designed to accommodate internet-scale applications and associated access control. They allow administrators to separate the identity provider (the entity that accepts credentials and validates who a user is) and the service provider (the entity providing the service a user is trying to access). And there is no requirement for direct communication between the identify and service providers.
Common modern authentication protocols include:
- WS-Federation (Web Services Federation): Used to verify and authenticate a user across web-based services so that a user can stay authenticated across multiple applications. It’s commonly used with Microsoft Active Directory.
- Security Authentication Markup Language (SAML): Connects the identity provider to the service provider and demands the verification of user credentials. It also gives more flexibility with determining who starts the authorization flow and how the encryption works.
- Open Authorization (OAuth): As a delegation protocol, OAuth authorizes access to compatible sites once you’ve logged in to one site, such as signing into Facebook or Google to authenticate you for other partner sites.
- OpenID Connect (OICD): Essentially a more formalized version of OAuth with agreed-upon minimum standards that major platforms must meet, allowing developers to move the authorization process to trusted agent platforms.
Microsoft Moving Deadline for Modern Authentication
The issue of companies moving to modern authentication has been in the news lately, as Microsoft anticipates retiring support for basic authentication on Exchange Online, putting pressure on admins to switch over to modern authentication methods. Microsoft announced on September 1, 2022 that customers will be able to re-enable basic authentication for selected protocols one time after the old October 1 deadline until the end of 2022, and it will permanently disable basic authentication for these protocols in the first week of January 2023.
Get help in becoming an industry-ready professional by enrolling in a unique Advanced Executive Program in Cybersecurity. Get valuable insights from industry leaders and enhance your interview skills. Enroll TODAY!
Keeping Skill Sets Current
Cyber security certifications like CISSP and CISM will be critical for network security administrators who will be under the gun to keep pace with big changes in identity and access management. It’s not too late to get a jump on these developments in a rapidly-growing IT industry.