Zero Trust

 View Only
Expand all | Collapse all

Passkeys as a component of Zero Trust

  • 1.  Passkeys as a component of Zero Trust

    Posted Oct 27, 2022 12:36:00 PM
    Hi All,

    I had one of the founders of FIDO Alliance reach out to me about Passkeys, a mechanism for enabling FIDO authentication.

    Lots of news in the past few days about its adoption, this seems like it could be a significant development in eliminating passwords and an important means for implementing Zero Trust principles, particular on the client side. Should we reference it in our research?

    https://arstechnica.com/information-technology/2022/10/passkeys-microsoft-apple-and-googles-password-killer-are-finally-here/

    https://fidoalliance.org/passkeys/

    ------------------------------
    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA
    ------------------------------


  • 2.  RE: Passkeys as a component of Zero Trust

    Posted Oct 28, 2022 10:05:00 AM
    Edited by Erik Johnson Oct 28, 2022 10:17:28 AM

    Thanks Jim

    I've passed this info along to the leads of our ZT Identity and IAM research working groups for awareness and consideration.
    Initial feedback is favorable. 

    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst
    Cloud Security Alliance
    Leesburg VA
    ------------------------------



  • 3.  RE: Passkeys as a component of Zero Trust

    Posted Oct 28, 2022 10:39:00 AM
    Your post is very timely @Jim Reavis. While developing the planning training module (5) we have been kicking around examples. The movement of passwords to passwordless as part of a Zero Trust journey might be one of the easier examples for the student to grasp.  I'll propose some language to the rest of the group. Thank you for placing it on the radar.

    To the broader question, I do not see how CSA can ignore Passkeys or FIDO in its research. It seems to me, the question is to what extent. I do not know the answer but the answer lies in the needs of the constituents and CSA's strategy. Maybe the place to start is with the basics. Historically, the thinking has been a combination of (1) what you know (e.g., password), (2) what you have (e.g., token), and (3) who you are (e.g., thumbprint) are sufficient. Behavior and geography now play a significant role, especially with a remote workforce. Maybe a short thought piece on how things have changed?


    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------



  • 4.  RE: Passkeys as a component of Zero Trust

    Posted Feb 10, 2023 09:18:00 AM

    I just recently joined this group and am glad to see that passkey is on the radar for your research. Has there been any progress on that since the last post from @Alex Sharpe in October? I'd be happy to contribute to this. I was on the Board of the FIDO Alliance for almost 4 years until I left my position at Meta last October. 



    ------------------------------
    Dario Salice
    Technology Advisor
    jenario
    ------------------------------



  • 5.  RE: Passkeys as a component of Zero Trust

    Posted Feb 10, 2023 09:47:00 AM

    Welcome, Dario. I have been heads down on other workstreams . If you email me ([email protected]) I will connect you with people who know the status better than me. Cheers, alex.



    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 6.  RE: Passkeys as a component of Zero Trust

    Posted Feb 13, 2023 09:22:00 AM

    Passkeys and FIDO, while I get it that they are attractive to people wanting a simpler life, they are quite simply,  a single point of identity failure. 

    Remember , the one really good aspect of blockchain is that it was originally designed for non-repudiation, even though there are a number of flaws in the implementation as well as the design. 

    Quite honestly, it is missing the Zero Trust point if you continue to think there is a simple solution to the biggest growing threat vector, i.e. identity fraud. 

    The security foundation of trust proof-of-concept with which I am engaging, has three strong and separate authentication methods, at the identity layer, the network layer and the application layer, with payload encryption at all levels,  able to be proved to auditors by integration of monitoring logs.  Have an offer from a group of ethical hackers to test this out in earnest :)

    Edge computing posture supplied by  SSE solutions is at best tinkering at the edges (no pun intended), and quite possibly introduces more security holes, if any of the technologies are vulnerable, which they are. 

    Zero Trust security currently seems like an empty slogan.



    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 7.  RE: Passkeys as a component of Zero Trust

    Posted Feb 13, 2023 12:47:00 PM

    Thank you for sharing @Nya Murray

    It's great to see that people are talking - and thinking - about passkey. If we're going with the assumption that passkeys are meant to replace the password during initial authentication, re-authentication, and step-up authentication, we're not changing much on the identity model. Implementing passkeys doesn't mean that existing recovery-methods will disappear. 

    If people think that passkey is a silver-bullet to solve identity / login issues, then they're going to be disappointed. Even with passkey, there's still going to be a need for (phishing resistant) MFA and other mechanisms to protect the accounts from being compromised.



    ------------------------------
    Dario Salice
    Technology Advisor
    jenario
    ------------------------------



  • 8.  RE: Passkeys as a component of Zero Trust

    Posted Feb 14, 2023 07:04:00 AM

    It's all very worrying @Dario Salice  @Alex Sharpe  - BTW  thanks for sharing the link on ZT and National Defence Alex.

    Here is a recent CISA alert on near misses to Energy Industry ICS/SCADA and other devices FYI  

    On the subject of energy, particularly alarming is time synchronisation from satellites, currently being targeted.  Here is an interesting paper about protecting vulnerable critical infrastructure nodes from this threat   authored by faculty members at Politecnico di Torino in Italy  - they reference an initiative called Trusted Computing. 

    Nya



    ------------------------------
    Nya Murray
    Director
    Trac-Car
    ------------------------------



  • 9.  RE: Passkeys as a component of Zero Trust

    Posted Feb 14, 2023 10:02:00 AM

    Thank you, @Nya Murray. I had not seen the paper out of Italy. Much appreciated.

    Cheers,

    alex.



    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 10.  RE: Passkeys as a component of Zero Trust

    Posted Apr 13, 2023 09:33:00 AM

    Hi Dario,

    Many thanks for the post.

    As discussed on emails, please let us work together to produce deliverables related to and using research on passkeys.

    Kind regards,
    Shruti Kulkarni



    ------------------------------
    Shruti Kulkarni CCSK, CISSP, CISA, CRISC, ITILv3 Expert
    Cyber Security Architect
    6point6
    London
    ------------------------------



  • 11.  RE: Passkeys as a component of Zero Trust

    Posted Jun 26, 2023 07:49:00 AM

    Hello,

    we managed to get it over the line and publish the blogpost about passkey 

    https://cloudsecurityalliance.org/blog/2023/06/22/passkeys-zero-trust/

    I hope you like the post and let me know if you have any questions.



    ------------------------------
    Dario Salice
    Technology Advisor
    jenario
    ------------------------------



  • 12.  RE: Passkeys as a component of Zero Trust

    Posted Jun 26, 2023 08:02:00 AM
    Thanks Dario!

    Best Regards,
    Erik Johnson
    Senior Research Analyst (CCSK, CISSP, CCSP, PMP) - Zero Trust and Financial Services
    Cloud Security Alliance