When PKI Excels for Passwordless Authentication
End-to-End Passwordless — and More
Though it’s been talked about for years, passwordless authentication may finally be poised to go mainstream. And not a moment too soon — hackers launch an average of 50 million password attacks every day. When those attacks lead to data breaches (which they do increasingly often), they cost organizations an average of nearly $3 million.
Organizations that incorporate passwordless methods into their security increase productivity and lower costs. In fact, Forrester research showed that large organizations can spend up to $1 million per year on infrastructure and staffing to handle password resets alone.
The rise of Fast Identity Online (FIDO) authentication standards has made it easier than ever to go passwordless. FIDO passkeys, in the form of device bound or platform synchronized, is a great choice for many use cases, but there are also times when public key infrastructure (PKI) is the way to go. PKI is among the most secure passwordless authentication technologies, because it relies on a trusted certificate authority (CA) to authenticate users and devices and facilitate encrypted communications. PKI is most commonly used by governments and other organizations that are part of highly regulated industries.
In this article, you will learn the basics of how PKI-based passwordless authentication works, when it’s most effective in workforce applications and what to consider when implementing it.
How PKI Powers Passwordless Authentication
PKI was originally developed to facilitate network security — and enable people and devices to trust that the entities they interact with online are who they say they are. Yet PKI infrastructure is well-suited to passwordless authentication, because it provides a set of tools that can verify a single entity’s identity across multiple security domains.
PKI relies on asymmetric cryptography, which is nearly impossible to crack. A hardware device, such as a smart card or security key, generates a mathematically related keypair (public key and private key), and then a certificate signing request (CSR) is sent to a certificate authority (CA) to have a certificate created. The certificate created by the CA is then put into the hardware device. The public key is available to anyone requesting it, while the private key is bound to the specific device and can’t be separated from it.
In order to successfully authenticate their identities and log in to a network or service, users must prove they have the private key that’s been assigned to them (proof of possession). This happens via a secure, cryptographic connection that’s facilitated by the public key and trusted digital certificate and works seamlessly in the background.
Over the years, IT ecosystem players — including operating system, browser, and application vendors — have worked to implement native support for PKI, and it enjoys broad adoption in the market.
Advantages and Disadvantages of PKI
PKI certificates can be provisioned across a wide range of devices, including smart cards, security keys and mobile phones. The technology requires more careful planning, deployment, and management than FIDO, but it also offers capabilities beyond authentication. Advantages include:
- Security — PKI authentication systems offer strong, phishing-resistant, and tamper-proof security. They also stand up to attacks on the corporate network because private PKI keys are stored on individual user devices instead of servers.
- Federation — PKI certificates can be used across multiple security domains. That enables organizations to authenticate identities external to their own networks by establishing a single trust relationship with the issuing CA. FIDO authentication keys, on the other hand, are said to be “scoped” (or unique) to an individual website- or service-user pair.
- Flexibility — PKI infrastructure can be and, in most organizations, already is, used for more than just passwordless authentication, including data encryption and digital signatures.
- Central management — PKI is centrally managed by design, and best-in-class solutions offer robust, on-demand audit and reporting mechanisms. IT teams can assign, revoke, suspend, resume, and customize certificate hierarchies and profiles with ease, via a centralized management console.
Implementing Passwordless With PKI
The first step in any PKI deployment is to think through solution design. How will passwordless authentication fit into your existing infrastructure? How will you plan and manage deployment? Do you want to implement this for your internal networks only or to authenticate to external platform services as well? If external platforms, do they support private CAs or require public trusted CAs?
Implementing passwordless authentication with PKI (certificate-based authentication) can be straightforward, especially with modern tools and platforms that simplify the process. Most companies do not need to adhere to the strict requirements that are required for government entities. This reduces the complexity and overhead of installing and managing these systems and devices, making it an affordable and secure solution for companies of any size. As with any security measure, attention to best practices and proper management is crucial for a successful implementation.
Moving Toward a Passwordless Future
By now, it’s clear that passwords put both individuals and organizations at risk. In fact, 91% of IT leaders worry about password theft, while 50% are concerned that passwords are too weak to keep their organizations safe.
The good news? With a little foresight and planning, security leaders can significantly reduce those fears by diversifying their identity and authentication methods. Passwordless authentication solutions — whether powered by PKI or the FIDO authentication protocol — are secure, user friendly and easier than ever to implement.
Learn how to unburden your IT team with HID’s PKI-as-a-Service >>
This blog is part 3 of HID’s ‘Path to Passwordless’ series. Explore the differences between PKI and FIDO authentication in part 1, or take a deep dive into FIDO authentication in part 2.
Brent Vernon is the Senior Director of Technology and Product Management at HID Global and brings over 20 years of experience in various fields of Identity and Access Management (IAM) globally and across multiple verticals. He has held multiple positions within professional services and pre-sales which has taken him to guide and offer strategic cyber security insights to enterprises of various sizes throughout the years. In his current role, he leads the strategic technology development and product management within the Authentication business area at HID.