Zero Trust

 View Only
  • 1.  Passkeys as a component of Zero Trust

    Posted Oct 27, 2022 12:36:00 PM
    Hi All,

    I had one of the founders of FIDO Alliance reach out to me about Passkeys, a mechanism for enabling FIDO authentication.

    Lots of news in the past few days about its adoption, this seems like it could be a significant development in eliminating passwords and an important means for implementing Zero Trust principles, particular on the client side. Should we reference it in our research?

    https://arstechnica.com/information-technology/2022/10/passkeys-microsoft-apple-and-googles-password-killer-are-finally-here/

    https://fidoalliance.org/passkeys/

    ------------------------------
    Jim Reavis CCSK
    Cloud Security Alliance
    Bellingham WA
    ------------------------------


  • 2.  RE: Passkeys as a component of Zero Trust

    Posted Oct 28, 2022 10:05:00 AM
    Edited by Erik Johnson Oct 28, 2022 10:17:28 AM

    Thanks Jim

    I've passed this info along to the leads of our ZT Identity and IAM research working groups for awareness and consideration.
    Initial feedback is favorable. 

    ------------------------------
    Erik Johnson CCSK, CCSP, CISSP, PMP
    Senior Research Analyst
    Cloud Security Alliance
    Leesburg VA
    ------------------------------



  • 3.  RE: Passkeys as a component of Zero Trust

    Posted Oct 28, 2022 10:39:00 AM
    Your post is very timely @Jim Reavis. While developing the planning training module (5) we have been kicking around examples. The movement of passwords to passwordless as part of a Zero Trust journey might be one of the easier examples for the student to grasp.  I'll propose some language to the rest of the group. Thank you for placing it on the radar.

    To the broader question, I do not see how CSA can ignore Passkeys or FIDO in its research. It seems to me, the question is to what extent. I do not know the answer but the answer lies in the needs of the constituents and CSA's strategy. Maybe the place to start is with the basics. Historically, the thinking has been a combination of (1) what you know (e.g., password), (2) what you have (e.g., token), and (3) who you are (e.g., thumbprint) are sufficient. Behavior and geography now play a significant role, especially with a remote workforce. Maybe a short thought piece on how things have changed?


    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    ------------------------------