We’re excited to introduce a new capability in our Oct 2019 Release of the Banyan Zero Trust Network Access Platform – Passwordless Authentication with Zero Trust. Enterprise security can roll out least privilege access controls following Zero Trust principles, while corporate users benefit from not having to enter their username and password every time they access corporate resources. Read on for a description of why we developed this feature and how you can start using it today.
Passwords pose a major risk to Enterprise security
Every application you use today, be it a consumer application like Gmail or Facebook, or a corporate application like Workday or Oracle, requires you to enter a username and password to authenticate. Yet, every IT professional knows that passwords have become so easy to steal that this mechanism is fundamentally insecure.
As Alex Weinert at Microsoft described in his famous post, Your Pa$$word doesn’t matter:
“[it is] not to say your password isn’t terrible. It’s *definitely* terrible, given the likelihood that it gets guessed, intercepted, phished, or re-used.”
It’s even worse in enterprise environments where organizations have invested heavily in Single Sign-On (SSO) tools such as Active Directory, Okta, or Ping. As the name indicates, SSO means a single password gives employees seamless access to all enterprise resources. However, this also means a single password compromise can give an attacker unfettered access to those same sensitive enterprise resources. Security-conscious IT organizations counter this by rolling out painful password complexity requirements, periodic password resets, and other user-unfriendly measures.
Multi-factor Authentication IS NOT the same as Passwordless
A popular solution to the security risks posed by passwords is to add another check after the user has entered their password, known as Multi-Factor Authentication (MFA). MFA typically involves the use of a secondary token or one-time code, often sent via Text Message or a Push Notification, to be provided after the password-based authentication.
While MFA definitely enhances security by requiring an additional check, it does not actually do away with the password. Further, hackers have developed sophisticated phishing schemes that can defeat MFA, especially when the MFA technique uses SMS OTP. MFA hacks have increased so much recently that the FBI issued a specific cyberattack warning last week: Multi-Factor Authentication Is Being Defeated. [And again on 14 Jan 2021, Cloud Attacks Are Bypassing MFA, Feds Warn.]
The “right” approach to Passwordless for enterprise Security
While there is no right approach to security, Enterprise Security professionals have long known that the best way to deal with the increasingly sophisticated attacks against passwords and MFA is to use cryptography tied to a specific device.
To further quote Alex Weinert:
“the right way to get rid of passwords is to use a cryptographically strong credential bound to the client hardware.”
Examples of such cryptography include Device Certificates (stored in a secure Keychain or Trusted Platform Module) or external Hardware keys (such as YubiKey or the Google Titan key).
Unfortunately, operationalizing such cryptography-based security has traditionally been very expensive, requiring cumbersome security tools and dedicated IT headcount to:
- Manage the lifecycle of cryptographic certificates via Public Key Infrastructure (PKI)
- Automate certification revocation processes at scale (OCSP, CRL)
- Manage the lifecycle of hardware keys
- Define and distribute certificates via a Device Manager (MDM)
- Create custom policy frameworks and integrations for access control
Banyan’s Zero Trust Network Access Platform takes a unique approach to deliver secure Passwordless access without the traditional cost or complexity associated with authentication using cryptography tied to a device.
Banyan provides lightweight native apps for desktop (Windows, macOS, Linux) and mobile (iOS, Android) platforms that can be seamlessly installed on corporate-managed and employee-owned devices. The Banyan apps securely register the device and install and manage the cryptographic Device Certificates. With Banyan you don’t need to run any complicated PKI or MDM tools (although we do integrate with your PKI and MDM if you already have them).
Banyan delivers a great user experience by eliminating insecure passwords
Corporate users no longer need to enter their SSO username and password to access a corporate resource. Instead, Banyan uses Device Certificates to seamlessly authenticate the user. Once they are authenticated, all the user has to do is perform their MFA check and they get dropped into the application they need.
“I love having to create a password that meets all our dumb password rules. Then, I really enjoy having to change it every 30 days, typically right in the middle of an important demo.”
– Said No Employee. Ever.
Initial feedback from employees at organizations that have deployed Banyan Passwordless has been phenomenal. One large enterprise customer reports that deploying passwordless has saved their users over 2500 man-hours every single day.
Banyan enhances enterprise security with its flexible policy engine and dynamic Trust Scoring
Because Banyan enables an organization to roll out Zero Trust security alongside Passwordless, overall enterprise security is significantly improved. Using dynamic trust scoring, continuous authorization, and granular enforcement, Banyan continuously evaluates the security posture of every user and device attempting access and enforces access control policies.
“Banyan allows us to roll out Passwordless authentication and then also monitor the trustworthiness of the entity once a user is authenticated. [In our environment] we do this by integrating with our existing enterprise tooling including AirWatch, CrowdStrike, Splunk, and Ping. If at any time, we detect that the TrustScore of the user has fallen below a predetermined threshold, we apply a policy that revokes access immediately.”
– CISO, F500 Tech Company
Available Now … Enable in your Console Today
To enable Passwordless, just log into your account on the Banyan Web Console, navigate to Settings and enable Passwordless Authentication.
In just a few button clicks, you improve your users’ authentication experience while enhancing enterprise security.
See our “Eliminating 90-Day Password Changes” blog for additional information on going passwordless.
If you’re not yet a Banyan Security customer, schedule a chat and a demo.