7 strong authentication practices for zero trust

As organizations grapple with protecting data and infrastructure in the era of cloud technology and remote working, Yubico’s Chad Thunberg argues that strong authentication should sit at the heart of zero trust plans.
As organizations grapple with protecting data and infrastructure in the era of cloud technology and remote working, Yubico’s Chad Thunberg argues that strong authentication should sit at the heart of zero trust plans.

Zero trust is built on the principle that organizations should frequently reestablish trust with individuals and devices attempting access to information. It’s a departure from a perimeter protection framework in which gaining access from outside is difficult, but everyone inside is implicitly trusted (or at least trusted more). Such traditional IT network security contributes to the frequency and impact of security events; the model is untenable in most use cases.

Why authentication matters

The rise in high impact incidents and evolving infrastructure should have us all assessing our authentication protocols. Although littered with buzzwords and competing stories based on what vendors are trying to sell, zero trust concepts are compelling. Indeed, our day to day conversations with customers is often focused around supporting their zero trust initiatives. 

With zero trust, it is imperative to establish a strong proof of identity. Every user attempting to access data will have to be authenticated. Every device will have to meet minimum security and health requirements, even if they are known assets. Users should re-authenticate more frequently, so the method should not only be effective, but efficient. 

First, consider how users prove their identity and how much confidence can be placed in the proof. One thing is sure, passwords on their own are not strong enough in the face of techniques attackers currently employ. Neither are passwords particularly user-friendly when we consider storage, length, complexity, and rotation requirements (which is no longer a best practice).

The following best practices should be considered as part of the zero trust journey: 

1. Phishing-resistance

Phishing is commonly used to extract credentials from unwitting targets to gain access to data, systems or applications. Passwords are obviously not resilient to phishing attacks but neither are one-time passwords fully resilient against some attack types. Despite this, research tells us that SMS one-time passcodes (OTPs) and mobile authentication apps are the most popular two factor authentication (2FA) methods. Authentication needs to be phishing-resistant and should work across multiple device types, and support higher security work environments that restrict mobile devices. Solutions that meet all of these criteria and don’t require deployment of client-side software, are ideal!

2. Secure

It goes without saying but the authentication method should be resilient to attack from a capable and persistent attacker. Dedicated and purpose-built devices include hardware security keys. With this form of authentication, users register their key with the applications and devices they use. To log-in, they present the key during the authentication process to prove their identity. Complex cryptographic actions that take place in the background, confirm that the user and service they are connecting to are genuine.

Such strong authentication supports a zero trust approach but even with this, the hardware security device should still be validated. That’s where attestation comes in. It validates that the device comes from a trusted manufacturer and that the access credentials it generates haven’t been cloned.

3. Identity and Access Management

Federated identity enables highly automated centralized management of identity and access management across the enterprise and cloud. Choosing an identity platform that supports FIDO authentication protocols, in addition to OpenID Connect and SAML 2, will enable the use of a strong proof of identity solution across a majority of applications including on-premise, cloud-hosted, and SaaS. The user experience will also improve with the use of single-sign on and reduced password management headache. This in turn should lead to wider adoption with improved security. 

4. Non-user accounts

Securing user accounts is often not enough. Service accounts often rely on static long lived credentials that can end up in source control platforms, network file systems, and on laptops. Asymmetric cryptography with a hardware security module (HSM) mitigates the threat of stolen credentials. HSMs can also provide attestations to increase confidence in where the keypair was generated and of its non-exportable status.

5. Digital signatures

Most organizations are now familiar with digital signing of electronic documents. The same principle can extend to other artifacts such as email, code commits, and software releases. Digital signatures can provide assurances that an authenticated person did the work and provide a means to detect if the work was modified after it was signed. Hardware-based authenticators and HSMs make signing electronically easier and stronger. 

6. Step-up authentication based on risk

Risk-based access control policies based on signals and risk scores protect users and the organization while increasing productivity. It is possible to implement automated controls that increase authentication requirements and expectations about the client endpoint based on the type of information being assessed, the location of the individual, and whether the behaviour deviates from expected patterns. Authenticators that can support a multitude of authentication protocols provide flexibility in the implementation and a gradient of security appropriate for the moment. 

7. Plan towards secure passwordless login

Passwords are vulnerable to compromise. As part of a zero trust framework, organizations can plan towards secure passwordless login for stronger authentication. To achieve this, they will need a consistent authentication framework and should opt for an ecosystem built on open standards such as FIDO2/WebAuthn. These standards pave the way for interoperability.


Despite the hype, many organizations may struggle with zero trust. This is to be expected; after all, perimeter protection has been the go-to for a long time. However, it takes a different mindset to validate every access attempt instead. A strong starting point is to assess authentication practices and boost these where needed. Shared secrets, such as passwords, are easily stolen or phished. Strong authentication is a cornerstone of zero trust because it ensures that users are properly validated before granting access.

 For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!

Follow us on LinkedIn and Twitter

zero trust, Security & Data, 7 strong authentication practices for zero trust

Amber Donovan-Stevens

Amber is a Content Editor at Top Business Tech

Personalization is the beating heart of successful hybrid cloud

Amber Donovan-Stevens • 27th November 2021

In the post-millennial era of real world cloud deployment, the modern digitally distributed nature of businesses requires a range of infrastructure options to allow each customer to leverage a mix of cloud technologies to best suit their unique needs while optimizing the associated costs. How can we enable this kind of flexibility in the face...

The Best Ten Rated Cloud Security Management Options For Business

Erin Laurenson • 24th November 2021

Cloud Security programs that can carry out safety procedures and address or flag potential high-risk elements are now critical, allowing businesses to function normally without fearing a potential breach. To help you find the best Cloud management and security system for your business, we’ve done the research and found the top systems presently available on...

How the cloud can drive organizational sustainability goals

Amber Donovan-Stevens • 24th October 2021

Mark Hughes, RVP of UK & Ireland, Epicor, explores cloud computing’s implications for organisational sustainability practices and introduces the key findings of Epicor’s survey of technology decision-makers in the US and the UK.xplains how cloud technology can spearhead an organizations sustainability initiatives.