Zero Trust Principles: Ubiquitous Authentication and Authorization
Authenticate and authorize all connections that access data or services, assuming the network is hostile.
Build systems with strong authentication methods and build applications to accept access decisions from policy engines.
When assessing risks associated with access requests, authentication and authorization decisions should consider multiple signals, such as device health, device location, and user identity and state.
MFA is a requirement for Zero Trust Architecture.
That doesn’t mean the user experience has to be bad. On modern devices and platforms, robust MFA can be achieved with a good user experience. For example, MFA is only triggered when the confidence of the user and device declines. Some authentication apps provide push notifications on trusted devices, so users don’t have to worry about typing codes or finding hardware tokens.
It is worth noting that not all authentication factors are visible to the user, one of which may be passwordless login using the encryption support of the built-in FIDO2 (Fast Authentication Online Service) platform authenticator.
Importantly, strong authentication does not hinder service availability. For example, prompt for other authentication factors only when the request has a high impact, such as requesting sensitive data or privileged operations, including creating new users. SSO should be considered to reduce MFA friction.
A risk-based approach should be considered to mitigate the greater impact of additional authentication factors. In the example above, other factors can be avoided if the user’s confidence level is high enough.
Passwordless authentication such as FIDO2 is an ideal solution because it provides strong security and a great user experience. Consider implementing passwordless authentication for a strong, consistent, and positive user experience across all of your services.
service to service
Requests between services also require authentication. Typically this is done using frameworks such as API Tokens, OAuth 2.0, or Public Key Infrastructure (PKI).
Mutual authentication is used, so users can be confident that both services communicating are authentic. This is key when building allow lists to authorize connections between services based on identity.