Tech security reimagined: How password-less authentication works

Firms are adopting zero-trust and password-less authentication to combat the enhanced threat landscape in remote work

With remote work becoming the norm as a result of the Covid-19 pandemic, companies realised that their conventional security architecture was not best-equipped to deal with a distributed workforce.

Mobility, distributed work, and the growing use of cloud solutions have brought huge benefits in scalability and cost. But they expanded the security perimeter, bringing new challenges. 

Take the example of Infosys, India’s second-largest information technology services firm, with close to 250,000 employees. While readying to support employees working from home last year, it realised that its security architecture needed changing. Indeed, the company undertook multiple changes to its security architect in 2020.

“Traditionally, our security architect was heavily data centre-centric, and could not support this dispersion of user-connected devices. So we had to move connectivity to the cloud. We had to make multiple changes to the architect. We have been doing this continuously,” says Vishal Salvi, chief information security officer at Infosys.

Infosys made significant adjustments to the rules for monitoring and use-case generation, to adapt to the new ways of working. The company developed new models to monitor employees for productivity while avoiding conflict with privacy mandates. “As we moved to these changed assets, we enforced certificate-based authentication on devices,” explains Salvi.

As the company transitioned to work-from-home (WFH), Infosys also had to make sure that all the legal agreements and regulatory approvals were in place for each of its clients.  

“From an information security standpoint, we had to make sure that the security team was ready even before WFH actually came into effect. We also came out with a connectivity model that was shared with the sales force and the client-facing team, which gave them a clear indication of the options they had and the behind-the-scenes security for each option,” says Salvi.

One feature that is getting a resounding thumbs-up from companies is “zero-trust security”, founded on the premise that no device or user, outside or inside a network, can be trusted. 

Tech giant Cisco is betting big on zero-trust and password-less authentication. “The threat landscape has shifted. In 2019, it was about unauthorised network-based attacks,” says Vishak Raman, director, security business, Cisco India and Saarc. “But when we look at the pandemic, the biggest threat to security is identity theft.”

Identity theft has been on the rise globally. Cases of identity theft in the United States doubled in 2020. And, India’s cybercrime unit reveals that, on average, 88 offences were reported to the Delhi Police daily in November 2020. Of these, 14 per cent involved hacking, identity theft and data theft.

“Password-based technology is getting broken. We are seeing the cloud identity being stolen, and people using that identity to come in,” says Raman. “So, people need to move away from password-based identity login to password-less authentication”, also known as multi-factor authentication.

Cisco has been working with customers to help them better outline a password-less road map. Its zero-trust security platform, Cisco Duo, involves a three-pronged approach to integrity related to the device, the user and the application, maintained via a password-less “mobile push technology”, and also includes geo-fencing of users.

The pressing need for most companies is to reimagine their on-premise security to off-premise, and to anchor it in a zero-trust framework. When the pandemic struck, they had to enable VPN (virtual private network) access for remote workers. The focus was also on end-to-end security to combat the widening threat landscape while continuing to provide critical services.

For example, Cisco helped a power station in India transition to secure, remote work quickly and seamlessly. This meant ensuring secured connectivity to its data centres, which enabled remote workers to connect to the enterprise network from any device, at any time, in any location, while protecting the security of the organisation. 

For this purpose, Cisco deployed its Cisco Umbrella for DNS (domain name system)-based security. Here, machine intelligence enables the uncovering of malicious domains, IPs, and URLs before they are even used in attacks.

During the pandemic, field engineers were unable to enter the power station and log into the enterprise resource planning system, but could still control the grid safely.  Raman explains that the password-less solution told him the location of the field engineers, and this was proof enough that these were genuine employees. 

Technology giant Google is also offering its zero-trust security offering, Beyond Corpe Enterprise, to businesses in India. The platform allows employees and any extended workforce t access applications in the cloud or on-premise and work from anywhere without a traditional remote-access VPN. As a result, when Covid-19 struck, 100,000-plus Google employees working in multiple offices globally transitioned quickly and safely to a work-from-home model.

How password-less authentication works
 
Passwords can be painful. It is easy to lose track of them, and they are easily compromised.  Now password-less authentication — the term used to describe a group of identity verification methods that don’t rely on passwords — is becoming a feasible reality for many businesses. Biometrics, security keys and specialised mobile applications are all considered “password-less” authentication methods. They ideally involve less user interaction during the login process than traditional forms of authentication.
 
Password-less authentication relies on a cryptographic key pair — a private and a public key. The public key is provided during registration to the authenticating service (remote server, application or website) while the private key is kept on a user’s device and can only be accessed when a biometric signature, hardware token, or other password-less factor is introduced. Such authentication enables zero-trust security, founded on the concept that no device or user, outside or inside a network, can be trusted.