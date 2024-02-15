



How does passwordless authentication fit into Zero Trust?

Passwordless authentication fits seamlessly into a Zero Trust security framework. Zero Trust essentially means assuming every connection and endpoint is a potential threat, employing the principle of least privilege, and requiring verification at every stage of user and network interaction. Strong multi-factor authentication is at the core of a Zero Trust framework, and passwordless authentication is an evolution of MFA and single sign-on. Multi-factor authentication uses passwords and passwordless techniques to authenticate. Passkeys remove passwords from the equation, providing an extra layer of security. Even with passwordless authentication, we recommend that you authenticate using multiple factors, not just a password. If the device is stolen and the thief gains access to her PIN or one-time password, his second form of passwordless authentication, such as biometrics, prevents unauthorized use.

Passkeys can also streamline the authentication process and provide a smoother user experience.

When thinking about zero trust, Gerlich says you want to regularly assess trust and evaluate everything. Constantly going to the user and having them enter a code, PIN, or password will be met with significant resistance. So I think many of the successful roadmaps for states and local governments pursuing zero trust are implementing passwordless as a way to reduce friction for users while increasing assurance around identity.

Passwordless authentication and zero trust work together. A government agency may verify a user's fingerprints or face, or force the user to enter her PIN, but agencies that adopt Zero Trust need to ensure that the user is on the right computer in the right place and is working as expected. Also make sure that you are doing so.

This is a multi-element future. It's about implementing the strongest possible elements and addressing concerns about phishing and other common attacks, Gerlich says.

How can state and local agencies implement passwordless authentication?

For passwordless authentication to work, your organization's system of record or application must support passwordless authentication and the FIDO2 standard. Modernizing to get that support may seem difficult, but Goerlich says he's seeing government agencies pursue portfolio strategies that use multi-factor authentication across their environments. Masu. This strategy allows the agency to achieve the strongest possible authentication.

When you go to local governments, counties, local agencies, there's a lot of technology running that isn't necessarily cutting edge. So, unfortunately, what's happening in the passwordless world right now is a story of the haves and the have-nots, Gerlich said. The device must support passwordless directly, either through an endpoint device, phone, or hardware security token. There's a front-end component to make sure government employees are equipped with biometrics and all these devices.

Another element of implementation is to communicate the secure nature of the passkey and make it clear that biometric data is never collected by the website or application and never leaves the user's personal device.

Much of the success with technologies like biometrics and passwordless revolves around security champion programs, awareness programs, and communications, Gerlich said. We've been using passwords all our lives. It's a matter of communication, explaining what's going on and being very transparent.

