Zero Trust Security Two-Factor Authentication Key

Historically, organizations believed that people and devices inside of their network and IT perimeter could inherently be trusted and that attacks only came from the outside.  However with the adoption of mobile and cloud, the network and IT perimeter is now uncontained and gone are the lines between internal and external users, services and data. This has lead to the adoption of a zero trust security strategy.

Accelerating this transformation to an essentially amorphous network and IT perimeter is the adoption of the distributed and hybrid working environment.  Thus as a strategy, the concept of “zero trust security” is a response to the new complexity of the network & IT user base coupled with the reality that any internal network or IT infrastructure can no longer be assumed to be composed of “trusted” parties.  

Today establishing trust relationships between users and network / IT infrastructure is critical for organizations to securely enable access to their data resources, whether stored in the cloud and on-premises, to employees, contractors, partners, suppliers, and more, regardless of their location, network or device.  Hence the challenge to protect networks and IT perimeters begins with “identity and access management (IAM)” founded on zero trust security principles employing two-factor authentication with physical security keys.

Zero Trust Security with Two-Factor Authentication Keys

Zero trust security strategy assumes that every attempt to access the network or the IT infrastructure is a threat and to not trust anyone inside or outside the network unless their identification has been authenticated.  In other words, this strategy relies on identity authentication instead of basing trust on a user’s physical location or job title relative to the organization’s network and IT infrastructure. 

Zero trust security works by requiring all users of the network or IT infrastructure to verify themselves through a protocol called two-factor authentication or 2FA. Two-factor authentication means providing a second form or factor of authentication, along the traditional credentials, when at the point of login.  The second factor must be tied to something that only the user alone has, such as physical security key device, a smartphone or even a personal attribute, such as your fingerprint.

If you’re new to zero trust security with two-factor authentication physical keys, a typical new-login protocol works once you’ve registered a security key with a server, network, website or app:

1. You pull up the login page of what you’re trying to access and proceed with the submitting of a username and password, just as usual.
2. The login page then prompts you to connect your security key. Depending on the type you have, you will insert the security key into a port on your iPhone or Android device, perhaps a USB computer port, or even hold the security key near the top of your phone if the key supports wireless near-field communication (NFC) or Bluetooth.
3. You activate the key by clicking a button or allowing your fingerprint to be read on the thumbnail surface of the key, or perhaps applying a physical tap to the security key.

FEITIAN iePass FIDO2 FIDO U2F USB-C + iOS Lightning Security Key with PIV (K44)

When it comes to adopting zero trust security measures, physical security keys offer the strongest layer of protection.  Two of the safest approaches to two-factor authentication are USB security keys such as the ePass FIDO® Security Key and iePass FIDO K44 Security Key  (for lightning connection to iPhones) and near-field-communications (NFC) security keys such as the ePass FIDO® K9 Security Key (which interacts wirelessly with smartphones).

Security keys have the general appearance of USB drives and can be inserted into desktops, tablets, phones, tablets, and more. Some are thumbnail-sized and barely stick out when plugged into a notebook or phone. Thanks to a computer chip inside the security key they can connect to online servers to perform identity authentication. Only by successfully performing and completing zero trust security two-factor authentication will users be allowed access to the network, website, or IT infrastructure. 

FEITIAN is a Yubikey alternative at lower price with best in class two-factor authentication security keys in the same environments and applications wherein Yubico products are used.  FEITIAN also offers the BioPass FIDO2 Security Key which leverages biometric technology requiring a fingerprint match for authentication effectively preventing misuse of the security key from people other than authorized user.

Our ‘flagship’ offering is a twin pack,  the Feitian MultiPass K16 and USB ePass K9 Security Keys features: FIDO U2F certified security key | NFC interface for mobile phones and contactless readers | BLE for compatible mobile devices (MultiPass FIDO only) | Suitable for services requiring two security keys.  The Feitian MultiPass K16 and USB ePass K9 Security Keys are a twin pack of keys with different capabilities. One key provides USB-A and NFC support, while the other key provides Bluetooth connectivity.  Together, they offer coverage for a wide range of platforms and devices.   

Zero Trust Security Eliminates Identity Sprawl

The IDSA is an organization composed of identity and security professionals that acts as an independent source of practical guidance, expertise, and thought leadership on identity-focused approaches to zero trust security. 

The Identity Defined Security Alliance (IDSA) has determined zero trust security begins with identity and access management (IAM) with two-factor authentication physical keys as it ensures the right people have the appropriate level of access to the correct resources,  and that access can be assessed continuously and without friction.    That means resolving the leading issue that thwarts growing organization’s network(s) and IT infrastructure from achieving zero trust; the problem of identity sprawl.

• the average staff member in an organization now has 30 identities* 
• machine identities (digital credentials) outnumber human identities 45:1*
• credential threat is the #1 risk for organizations*

When a user’s identity is handled by numerous isolated and out of sync directories or systems, each of those identities creates a potential unsecured point of attack that hackers can target.  ‘Identity sprawl’ results when an application or system is not, or cannot be, integrated with an organization’s central directory service.  This results in multiple sets of login credentials or user identities, for a single person, each requiring separate management to support login to that application or system.  

The additional administrative costs and overhead associated with managing all these individual identities is only the start of the challenge.   Accompanying identity sprawl is the reality that users will reuse the same passwords for different services, exposing the entire organization’s network to be more vulnerable to credential spying.

Placing a second layering of protection or 2FA, two-factor authentication to a centralized identity point of access effectively mitigates attacks targeting credentials. Additionally, unifying access policies across servers and applications is essential to bringing identity access management together into one manageable framework, therapy achieving zero rust security for IT resources across the cloud and on- premises.

10 Benefits of a Zero Trust Security with Two-Factor Authorization, 2FA

Setting up security keys is simple and straightforward. For administrators, zero trust security makes it easy to use your keys with any Identity Provider (IdP) and integrates both the keys and IdP into a comprehensive zero trust solution. For employees, a simple guided prompt makes the action of touching a security key for authentication seamless. Zero trust with two-factor authentication or 2FA provides the strongest security for a zero-trust architecture because its:

1. Passwordless: No shared secrets or use passwords. 
2. Phishing resistant: No exposure to codes or magic links (ways to login to an account without a password), or other tactics when targeted with phishing.
3. Ability to validate user devices:  You can ensure requesting devices are tethered to a user and permitted to access online applications and assets. 
4. Ability to assess device security compliance: Able to determine if devices adhere with security policies.
5. Ability to analyze risk signals: Able to collect and analyze data from IT management tools, endpoints and security tools.
6. Continuous risk assessment: the ability to identify and assess risk during a user’s session instead of relying solely on one-time authentication, common with   financial transactions.
7. Integrated with the existing IT security infrastructure: Integrating with already in place tools in the security infrastructure to enhance risk detection, react to suspicious behaviors faster, and to improve compliance and audit reporting. 
8. Protection of customer data profiles: The time wasted and frustration accompanying the loss of customer data is eliminated, along with the cost of losing customers who lost trust with any security breach.  
9. Reduced complexity and redundancy of the security stack: When a zero-trust security system manages all of the security functions, you can remove stacks of web getaways, redundant firewalls, and other security devices.
10. Reduced need to hire security professionals and train them: A central zero trust security system dramatically reduces the need to hire as many people as possible to monitor, manage, refine, and update security controls.

Zero Trust Security Assurance & Compliance Goals

Higher Levels of Assurance & Compliance

A passwordless network and IT infrastructure access protocol supported with two-factor authentication, 2FA with FEITIAN security keys achieves National Institute for Science and Technology (NIST)  AAL3 guidelines.  Categorically this is recognized as very high confidence on identity proofing and authentication of users (such as commercial businesses, contractors, employees, and private individuals) working with government IT systems over open networks. These guidelines are applied as part of the risk assessment and implementation of federal agencies’ digital services.

According to NIST zero trust security architecture specification, two-factor authentication, 2FA, with a physical security key is the very best approach for an enterprise securing access to its networks and IT infrastructure and offers the following benefits:   

Solve Two-Factor Authorization Gaps and Accelerate Adoption
Zero Trust begins at the endpoint, the device from where users are logging in, so naturally it should be secured to the highest degree.  Whether a personal laptop, a smartphone or a shared workstation, users adopting a passwordless zero trust protocol is the best way to solve your desktop/notebook/tablet/smartphone two-factor authorization gap. The same login experience can then be extended to remote access such as with a remote desktop protocol or RDP and virtual private network or VPN, as well as Virtual Desktops and Single Sign-On. 

Increase Deterrent for I.D. & Password Credential Based Attacks
One of the core principles of the Zero Trust Security is “to apply preventative measures to deter hackers.”  Once attackers become aware that your users are not using the traditional username + password login alone and have included zero trust security two-factor authentication with security keys, that knowledge in and of itself is sufficient to convince hackers your network and IT infrastructure is not vulnerable to their skills. 

Redefining Risk-Based Authentication
Zero Trust security practices promote continuous authorization, a method of confirming a person’s identity in real time while they are performing a transaction on a device, for example. It’s based on the risk level and contextual information about the user, location, role, and type of device.  The advantage of continuous risk-based authentication is that it allows a security system to measure, score, and if necessary, flag or alert and require re-authorization to proceed online with the transaction.

Zero Trust Security Two-Factor Authentication for Endpoints

70% of successful network security breaches originate at endpoints, the devices communicating with IT infrastructure (applications, servers, and networks).  Examples of endpoints are:

• Desktop computers & workstations
  • Laptops & notebooks
  • Tablets
  • Smartphones
  • Servers
  • Internet-of-things (IoT) devices 

Two-factor authentication security keys turn endpoints into zero trust security enforcement mechanisms, effective regardless of user location: on-site, at home, or at a coffee shop.  This is critical since endpoints are often personally owned through a bring your own device (BYOD) arrangement and usually represent the weakest link in a zero trust strategy.

An integrated platform approach that couples two-factor authentication security keys at endpoint with your network security achieves a zero trust model protecting your IT architecture.  

The zero trust model also involves partnering endpoint security device keys with virtual private network, or VPN, security thereby enabling a global zero trust security policy to move with the user and endpoint.  To establish endpoints are continually protected, VPN functioning should be a transparent experience.  When VPNs and endpoint zero trust security mechanisms are coupled, regardless of their location, endpoints are secure, preventing traffic with malicious intent from reaching the VPN and firewall.

Next Steps to Implement a Zero Trust Security Two-Factor Authentication 

FEITIAN security keys enable organizations to swiftly implement zero trust security practices through phishing-resistant, verifiable, certificate-based identities across all devices, users, apps, and workloads. Our two-factor authentication (2FA) security keys establish:

• high assurance certificate-based passwordless access & endpoint identities
• support for single sign-on (SSO) environments for a more seamless experience

protecting your workforce, network and IT infrastructure.  Our best-in-class security key tokens (hardware devices) can easily integrate with a comprehensive partner ecosystem to provide complete coverage for optimal zero trust security.

Passwordless two-factor authentication (2FA) for access to your network, applications and IT infrastructure can be implemented faster and at much less expense than you may be thinking.   By taking a compartmental approach to zero trust security and focusing on quick wins through two-factor authentication security keys, you can simplify some of the complexity and reduce any risk inherent in your traditional network / IT infrastructure.  Best of all, you don’t have to retire and replace any of your tech, computers or IT infrastructure to get started and aligning your zero trust security investments to your most pressing and sensitive business needs is a great starting point.

Implementing zero trust security two-factor authentication protocols to your network / IT infrastructure will enable you to realize cost optimizations without retooling, business agility, and improve your overall operations. Eliminating reliance solely on passwords and implementing hardware two-factor authentication security key devices lays the foundation for a powerful zero trust security experience that’s simple to use and deploy.