7 strong authentication practices for zero trust

As organizations grapple with protecting data and infrastructure in the era of cloud technology and remote working, Yubico’s Chad Thunberg argues that strong authentication should sit at the heart of zero trust plans.
As organizations grapple with protecting data and infrastructure in the era of cloud technology and remote working, Yubico’s Chad Thunberg argues that strong authentication should sit at the heart of zero trust plans.

Zero trust is built on the principle that organizations should frequently reestablish trust with individuals and devices attempting access to information. It’s a departure from a perimeter protection framework in which gaining access from outside is difficult, but everyone inside is implicitly trusted (or at least trusted more). Such traditional IT network security contributes to the frequency and impact of security events; the model is untenable in most use cases.

Why authentication matters

The rise in high impact incidents and evolving infrastructure should have us all assessing our authentication protocols. Although littered with buzzwords and competing stories based on what vendors are trying to sell, zero trust concepts are compelling. Indeed, our day to day conversations with customers is often focused around supporting their zero trust initiatives. 

With zero trust, it is imperative to establish a strong proof of identity. Every user attempting to access data will have to be authenticated. Every device will have to meet minimum security and health requirements, even if they are known assets. Users should re-authenticate more frequently, so the method should not only be effective, but efficient. 

First, consider how users prove their identity and how much confidence can be placed in the proof. One thing is sure, passwords on their own are not strong enough in the face of techniques attackers currently employ. Neither are passwords particularly user-friendly when we consider storage, length, complexity, and rotation requirements (which is no longer a best practice).

The following best practices should be considered as part of the zero trust journey: 

1. Phishing-resistance

Phishing is commonly used to extract credentials from unwitting targets to gain access to data, systems or applications. Passwords are obviously not resilient to phishing attacks but neither are one-time passwords fully resilient against some attack types. Despite this, research tells us that SMS one-time passcodes (OTPs) and mobile authentication apps are the most popular two factor authentication (2FA) methods. Authentication needs to be phishing-resistant and should work across multiple device types, and support higher security work environments that restrict mobile devices. Solutions that meet all of these criteria and don’t require deployment of client-side software, are ideal!

2. Secure

It goes without saying but the authentication method should be resilient to attack from a capable and persistent attacker. Dedicated and purpose-built devices include hardware security keys. With this form of authentication, users register their key with the applications and devices they use. To log-in, they present the key during the authentication process to prove their identity. Complex cryptographic actions that take place in the background, confirm that the user and service they are connecting to are genuine.

Such strong authentication supports a zero trust approach but even with this, the hardware security device should still be validated. That’s where attestation comes in. It validates that the device comes from a trusted manufacturer and that the access credentials it generates haven’t been cloned.

3. Identity and Access Management

Federated identity enables highly automated centralized management of identity and access management across the enterprise and cloud. Choosing an identity platform that supports FIDO authentication protocols, in addition to OpenID Connect and SAML 2, will enable the use of a strong proof of identity solution across a majority of applications including on-premise, cloud-hosted, and SaaS. The user experience will also improve with the use of single-sign on and reduced password management headache. This in turn should lead to wider adoption with improved security. 

4. Non-user accounts

Securing user accounts is often not enough. Service accounts often rely on static long lived credentials that can end up in source control platforms, network file systems, and on laptops. Asymmetric cryptography with a hardware security module (HSM) mitigates the threat of stolen credentials. HSMs can also provide attestations to increase confidence in where the keypair was generated and of its non-exportable status.

5. Digital signatures

Most organizations are now familiar with digital signing of electronic documents. The same principle can extend to other artifacts such as email, code commits, and software releases. Digital signatures can provide assurances that an authenticated person did the work and provide a means to detect if the work was modified after it was signed. Hardware-based authenticators and HSMs make signing electronically easier and stronger. 

6. Step-up authentication based on risk

Risk-based access control policies based on signals and risk scores protect users and the organization while increasing productivity. It is possible to implement automated controls that increase authentication requirements and expectations about the client endpoint based on the type of information being assessed, the location of the individual, and whether the behaviour deviates from expected patterns. Authenticators that can support a multitude of authentication protocols provide flexibility in the implementation and a gradient of security appropriate for the moment. 

7. Plan towards secure passwordless login

Passwords are vulnerable to compromise. As part of a zero trust framework, organizations can plan towards secure passwordless login for stronger authentication. To achieve this, they will need a consistent authentication framework and should opt for an ecosystem built on open standards such as FIDO2/WebAuthn. These standards pave the way for interoperability.

READ MORE:

Despite the hype, many organizations may struggle with zero trust. This is to be expected; after all, perimeter protection has been the go-to for a long time. However, it takes a different mindset to validate every access attempt instead. A strong starting point is to assess authentication practices and boost these where needed. Shared secrets, such as passwords, are easily stolen or phished. Strong authentication is a cornerstone of zero trust because it ensures that users are properly validated before granting access.

 For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Birmingham Unveils the UK’s Best Emerging HealthTech Advances

Kosta Mavroulakis • 03rd April 2025

The National HealthTech Series hosted its latest event in Birmingham this month, showcasing innovative startups driving advanced health technology, including AI-assisted diagnostics, wearable devices and revolutionary educational tools for healthcare professionals. Health stakeholders drawn from the NHS, universities, industry and front-line patient care met with new and emerging businesses to define the future trajectory of...

Why DEIB is Imperative to Tech’s Future

Hadas Almog from AppsFlyer • 17th March 2025

We’ve been seeing Diversity, Equity, Inclusion, and Belonging (DEIB) initiatives being cut time and time again throughout the tech industry. DEIB dedicated roles have been eliminated, employee resource groups have lost funding, and initiatives once considered crucial have been deprioritised in favour of “more immediate business needs.” The justification for these cuts is often the...

The need to eradicate platform dependence

Sue Azari • 10th March 2025

The advertising industry is undergoing a seismic shift. Connected TV (CTV), Retail Media Networks (RMNs), and omnichannel strategies are rapidly redefining how brands engage with consumers. As digital privacy regulations evolve and platform dynamics shift, advertisers must recognise a fundamental truth. You cannot build a sustainable business on borrowed ground. The recent uncertainty surrounding TikTok...

The need to clean data for effective insight

David Sheldrake • 05th March 2025

There is more data today than ever before. In fact, the total amount of data created, captured, copied, and consumed globally has now reached an incredible 149 zettabytes. The growth of the big mountain is not expected to slow down, either, with it expected to reach almost 400 zettabytes within the next three years. Whilst...

What can be done to democratize VDI?

Dennis Damen • 05th March 2025

Virtual Desktop Infrastructure (VDI) offers businesses enhanced security, scalability, and compliance, yet it remains a niche technology. One of the biggest barriers to widespread adoption is a severe talent gap. Many IT professionals lack hands-on VDI experience, as their careers begin with physical machines and increasingly shift toward cloud-based services. This shortage has created a...

Tech and Business Outlook: US Confident, European Sentiment Mixed

Viva Technology • 11th February 2025

The VivaTech Confidence Barometer, now in its second edition, reveals strong confidence among tech executives regarding the impact of emerging technologies on business competitiveness, particularly AI, which is expected to have the most significant impact in the near future. Surveying tech leaders from Europe and North America, 81% recognize their companies as competitive internationally, with...