The increasing reliance on using the internet has businesses, governments, and individuals more aware of data security and identity protection. One of the primary concerns is password protection.
No matter how secure your passwords are, cybercriminals with the right malware will find a way to steal them. Even the leading VPN might be insufficient for full data protection and online security. Cybercriminals have access to the same advancing technology and software apps that the rest of the public does. That access resulted in an increase in cyberattacks by stealing passwords. Avoiding these risks means taking the time to learn more about preventative measures.
To discuss the issue in more detail, we spoke with Jasson Casey, the CTO at Beyond Identity – cybersecurity company advancing toward Zero Trust Authentication through constant risk assessment and continuous security validations.
How did Beyond Identity originate? What has the journey been like?
Two and a half decades ago, our founders - Jim Clark and Tom Jermoluk, made the World Wide Web accessible to all. They made it ready for business. Jim spearheaded the release of the Netscape browser along with SSL for secure Internet transactions. Tom focused on large-scale home broadband access with @Home Network. As businesses, governments, and individuals increasingly relied on the Internet, so too did bad actors. Bad actors eroded trust, stole intellectual property, and pilfered funds.
There are hundreds of billions of passwords in the world today. Yet, we continue to rely on this fundamentally insecure authentication model. Passwords are insecure because these “shared secrets” transit networks get stored in unprotected databases. They are also shared among friends and family. Ultimately, they're reused across multiple apps. With the creation of Beyond Identity, the SaaS platform goes above and beyond FIDO standards. Our passwordless, invisible MFA supports broad authentication use cases. It turns all devices (including computers, tablets, and phones) into secure authenticators. Our platform validates the user and verifies the device is authorized. It checks the security posture of the device and executes an authentication decision based on the company’s risk policies.
Can you tell us a little bit about your passwordless authentication platform? What are its key features?
Beyond Identity is FIDO2 certified and extends the standard with an enterprise-ready platform. A platform that prevents credential-based breaches by ensuring user and device trust and eliminating passwords — the single largest source of ransomware and other cyberattacks. Beyond Identity’s cloud-native Universal Passkey Architecture delivers secure and frictionless multi-factor authentication. It's a system that routinely validates user identity and device security. This makes user adoption easy and advances the journey toward Zero Trust Security.
At Beyond Identity, you emphasize the importance of the Zero-Trust principle when it comes to security. Can you tell us more about this approach?
Zero Trust is not any single product or solution. It's a security framework that eliminates implicit, transitive trust that underpins the perimeter-centric approach. It negates the idea that everything inside the corporate perimeter is trustworthy. In a “perimeter-less” world, Zero Trust never takes trust for granted. Advocates never trust, they always verify. It begins with strong identity validation. It verifies a user’s identity and the security of transactions every time without relying on implicit trust.
An ideal Zero Trust authentication solution goes a step further. It establishes trust in every endpoint device and user accessing enterprise resources. It doesn't do this once but continuously. This includes strong identity validation by cryptographically binding the user identity to a device. Then leveraging the secure TPM hardware in modern devices to ensure that a user’s private key can't get stolen by adversaries. It includes real-time checks of the security posture during each authentication transaction. That includes each device used to access resources. After the initial authentication transaction, Zero Trust principles require continuous validation of the device's security posture. Also, an ongoing review of user behavior to ensure user identity and device can still be trusted. We call this combination Zero Trust Authentication.
What strategies are used to ensure the successful implementation of Zero Trust authentication?
Zero Trust Authentication was developed in response to the failure of traditional authentication methods. A problem exacerbated by increased cyberattacks. Online attacks that use stolen passwords and MFA bypass tactics.
Adopting Zero Trust Authentication will allow organizations to overcome the limitations of passwords. This includes legacy multi-factor authentication (MFA) like one-time passwords. Also, push notifications that are now bypassed at scale in the wild. It implements more robust security strategies. These are continual behind-the-scenes monitoring. All for organizations to truly meet the Zero Trust rule, “never trust, always verify.” Zero Trust Authentication starts with password-less, phishing-resistant MFA. It adds components, such as Beyond Identity's risk scoring and continuous authentication capabilities. These components significantly enhance the level of protection offered.
What are some of the lesser-known threats a company exposes itself to if proper identity authentication methods are not in place?
Organizations have been aware for a decade that passwords are a major vulnerability. Some organizations took steps to use MFA to fix the password problem. Many organizations weren't aware that nearly all MFA that is currently in place – one-time codes, magic links, and push notifications – are now being routinely bypassed by threat actors. A few years back, the level of difficulty for the attackers to bypass MFA was pretty high. So MFA was a deterrent for most non-state-sponsored threat actors. But, in the last few years, readily available phishing kits have made bypassing MFA a “paint by numbers” exercise for less tech-savvy adversaries. In 2023, things got worse with the advent of phishing as a service. Now, gaining access to accounts and systems protected by first-generation MFA is as easy as swiping a credit card – or a non-traceable form of payment.
Besides quality identity management solutions, what other cybersecurity measures do you think every company should use?
On top of strong Zero Trust Authentication, we believe that organizations should definitely include endpoint detection and response (EDR). The first major avenue that cybercriminals use to gain access to systems is taking over an authorized user identity. They use stolen passwords, bypassing the first gen MFA. The second major avenue is to install malware on an endpoint device that gives the adversary a foothold they can use to exfiltrate data from the device. They also gain access to more applications and systems.
Shutting down both of the initial access methods should be a high priority. It's two of the initial steps on an organization's zero-trust journey. In fact, it's best if these two security systems are the product of integration, so they can work together. For example, the authentication solution can take advantage of risk signals provided by an EDR. This is so the authentication solution can make a more informed risk-based decision. Or, the authentication solution can reach out to the EDR to quarantine a suspicious user or device.
What do you think the future of identity and access management is going to be like? Do you think the use of biometrics is going to take off?
The future of identity and access management will use strong, password-less, and phishing-resistant MFA. The US government has already mandated that agencies apply this by 2024. Biometrics, particularly the biometrics built into modern devices, i.e., phones, laptops, tablets, and desktop devices, will be one of the strong factors in a multi-factor world. Coupled with other phish-resistant factors, like the FIDO passkey, the combination provides multiple strong factors and a better user experience. A win–win proposition.
What actions can average individuals take to protect their identity online?
Unfortunately, individuals have bad options today. First, individuals and organizations can push their vendors to make products more secure by design. They can use phish-resistant MFA. Users can vote with their money and choose security, along with convenience. Don’t get fooled by apps that simply “hide” the password. For example, some mobile apps can use biometrics but then send the password in the background. The app seems secure, but if there is a password involved, the bad actor can log into the web version of the app with a stolen password. Today, individuals are stuck with passwords. There's no such thing as a “secure password." Malware doesn't care if your password is four characters or four thousand characters long with a mix of numbers and symbols. It will steal it either way. But users can, at least, use a unique twelve-character password on each app. This provides some protection. It prevents a situation where a hacker or cybercriminal steals a password from one app. Then proceeds to use it to log into, for example, a bank account.
Would you like to share what’s next for Beyond Identity?
We started by eliminating the password and implementing MFA with no weak factors. We moved on to incorporating device trust and integrating with MDM, EDR, and ZTNA solutions to provide the only Zero Trust Authentication solution available. We will continue to integrate with additional security technology vendors. We'll be adding machine learning to incorporate more risk signals into our risk-based policy engine. We hit the ground running with Zero Trust Authentication, but this was just the beginning. We're taking the show live and in person for our ZTA roadshow. We’ll be traveling to Atlanta, Boston, Chicago, Dallas, New York, and San Francisco. All to further educate people on the crucial need for authentication. Such that it meets the elevated requirements of Zero Trust, we’re excited to keep growing and improving what is already the strongest — and only — unphishable MFA in the industry.