Servers, Kubernetes clusters and databases hold a company’s secrets, intellectual property, financials and confidential information about customers and employees. That’s why they’re popular targets for attacks, and why traditional passwords aren’t nearly strong enough to protect them.
Over the years, companies have tried to make passwords more sophisticated, rotate them and use SSH keys to make them harder to crack. But bad actors are advancing at the same pace — or faster with the help of AI — and admins still struggle to provision, decommission and rotate passwords, tokens and SSH keys.
Passwordless authentication is one solution to prevent bad actors from gaining access to infrastructure and applications. It verifies a user based on characteristics inherent to a person or a piece of hardware that can’t be compromised, like a fingerprint or physical USB. The best passwordless access both simplifies access for users and improves your security posture by removing a single point of compromise. Here’s how.
In a zero trust model, companies don’t trust anyone or anything. Passwordless is an efficient way to confirm that a user is who they say they are, which is why it should be part of a holistic authentication process. If a company’s authenticating with multiple roots of trust, like BastionZero and an identity provider (IdP), at least one root should have passwordless authentication.
.png)
If a user logs in with credentials from a third-party IdP, like Google or Okta, the IdP can verify the user and their privileges with the company’s IT. Once verified, the service will grant access to the target.
An authenticator app, like Google Authenticator, sends a software token to a user’s smartphone, computer or tablet. The token is a one-time code that the user enters (sometimes with a second form of authentication) to gain access to a target.
A hardware token is a physical device like a USB or fob, which works through a physical connection to a computer or by generating a one-time passcode that the user enters into an on-screen prompt to gain access.
Biometrics, like fingerprints, retinas, voice or facial recognition are compared to saved data to grant or deny access. This may be done through a user's smartphone, tablet or laptop if it has built-in biometric authentication.
A magic link is a one-time URL sent to a user via email or SMS. When a user opens the link, it matches the device it’s opened on with a token in a database to verify the device.
Smart cards are physical cards that generally use a data-containing chip and RFID wireless connectivity to authenticate a user. They are often used to grant access to workstations or applications.
A persistent cookie is a file that’s stored on a device to remember a user's credentials and grant access if the user is logged in. This can stay on a computer indefinitely, or until a predetermined expiration date or the user clears their cookies.
Some systems and applications have native passwordless authentication, which may be built into their multi-factor authentication (MFA) process. Google and Microsoft are prime examples.
Although passwordless authentication is gaining popularity, it’s not embedded in all infrastructure access solutions. Here’s how to bolster the security of your infrastructure using passwordless authentication.
A best practice for zero trust infrastructure access is to use two roots of trust, like BastionZero and an IdP, to grant a user access to a target. This prevents threat actors from getting into your infrastructure, even if one root of trust is compromised. In this model, at least one root of trust should use passwordless authentication.
It’s not easy to securely manage credentials in today’s enterprise. BastionZero eliminates the huge hassles of provisioning, decommissioning and rotating passwords, tokens and SSH keys. There’s no need to set up IAM roles across different clouds and accounts, which simplifies the process to on- and off-board users.
81% of hacking-related data breaches are caused by weak or stolen credentials, according to Verizon’s 2022 Data Breach Investigations Report. Passwordless helps mitigate the risk of a breach to your critical infrastructure.
Admins often manage a mess of passwords, SSH keys and tokens, and waste time and resources provisioning, decommissioning and rotating them. Passwordless removes this burden so admins can focus their attention on other activities.
It’s a hassle to create and memorize or securly store passwords and SSH keys. Not to mention answering a series of security questions every time you forget or need to verify a password. Passwordless authentication eliminates friction and reduces user frustration, while providing secure access to infrastructure.
