Privileged access management (PAM) programs aim to secure the highest-risk access in an organization, including using privileged credentials like passwords, SSH keys and application secrets. So, how can PAM and identity security teams prepare for a passwordless future? The answer lies in a deeper examination of what ‘passwordless’ really means and how PAM programs are modernizing to protect new identities and environments.
While the concept of passwordless authentication is not new, meaningful adoption has only begun in recent years. Several forms of passwordless authentication are gaining traction, ranging from physical authentication factors like USB keys or biometrics to digital factors like QR codes, passkeys and SMS messages with one-time codes. Each method can help efficiently validate a user’s access, which is central to the concept of Zero Trust.
Yet despite the benefits of these authentication formats, passwordless will not replace the need to secure high-risk access – with or without passwords and credentials.
Let’s explore why.
Analyzing Passwordless Authentication Factors
Authentication factors enabling an enterprise identity to connect to a resource are generally divided into three categories:
1. Knowledge factors or something you know.
2. Possession factors or something you have
3. Inherence factors or something you are.
Passwordless methodologies shift the authentication paradigm away from known passwords, a knowledge factor, opting instead to validate access with possession factors (such as a Yubikey or Passkey) and inherence factors (such as biometrics). In many cases, passwordless paradigms don’t truly eliminate passwords but rather abstract the secret away from the end user – just as modern privileged session management capabilities do.
These possession and inherence factors can make user logins faster and more seamless, in alignment with widely trusted standards for passwordless access, such as the FIDO2 Web Authentication (WebAuthN) standard.
Abstracting Passwords Does Not Eliminate Risk
Passwordless authentication factors will certainly reduce risk – but they can still be compromised. For example, biohacking attacks can compromise biometric authentication, while physical theft of Yubikeys and other hardware authenticators negates those standards. Phishing-resistant passkeys are harder to steal than passwords, but attackers can still access a device’s passkey store and use valid passkeys to reach their objectives. Consistent with a Zero Trust mindset, organizations must ‘assume breach’ and realize no authentication factor is safe.
Insider threats will also remain a risk with passwordless authentication. Changing authentication factors to improve user experience does not negate the risk of bad actors inside an organization’s directory or trusted roster of third-party vendors. Simply put, eliminating passwords does not entirely reduce the risk of compromised access.
Organizations will always need defense-in-depth controls to mitigate these risks, even with passwordless authentication paradigms. Tried-and-true PAM concepts like least privilege access, session isolation, privileged session audit and Identity Threat Detection and Response (ITDR) remain essential lines of defense that reduce the risk of identity compromise and lateral movement.
Why We Can’t Fully Replace Passwords – Yet
Today, several operational considerations prevent the full adoption of passwordless authentication. Here are several:
Compatibility. Many systems in an organization will always require passwords by default. For example, every organizational laptop, server and networked device has a built-in local administrator password. These credentials are top targets in ransomware attacks, which generally require local admin rights to execute malware on an endpoint and spread. PAM programs aim to remove these credentials on workstations and manage them securely in a vault.
Security teams lack proven paradigms for replacing these local admin passwords with passwordless authentication factors. The same is true of service accounts and other machine identities, most of which use secrets to authenticate machine-to-machine communications.
Shared account complexity. To reduce their attack surface or satisfy audit requirements, many organizations aim to reduce the number of accounts with access to their most sensitive resources. A common strategy is consolidating on a small number of highly privileged accounts shared by multiple IT and Cloud Ops users. Modern PAM programs then apply several layers of controls to secure these shared accounts. Since these accounts are shared between users, they generally rely on shared knowledge and require knowledge-based authentication factors like credentials.
Modern PAM programs aim to reduce the number of credentials and prevent their exposure to the end user, often obscuring them. In other words, ‘fewer passwords’ is as important as ‘passwordless’ authentication.
In cloud environments where federated access models are popular, some modern PAM programs also reduce password risk by embracing a zero standing privileges (ZSP) approach, creating and deleting entitlements for each privileged session. But even in cloud environments, every organization requires some level of shared privileged access, as the root and registration accounts required to set up a cloud environment can never be decommissioned. These root account credentials will always exist and must be secured with intelligent privilege controls.
Regulatory compliance. Auditors assessing an organization’s cybersecurity compliance with essential regulatory standards often look for defense-in-depth identity security. Some regulations require the use of passwords and careful controls on those passwords, such as implementing least privilege, multi-factor authentication (MFA), policy-based credential rotation and thorough audit visibility of password usage. Eliminating passwords outright can complicate and delay audit processes, ultimately impeding operations.
Backup Access. In emergency situations, passwords serve as a reliable fallback authentication method when passwordless options fail, ensuring users can access their accounts. In fact, many passwordless solutions even rely on credentials (or keys) on the backend. Since keys can be valuable targets for attackers, PAM programs must apply several layers of controls to secure them.
Expectations vs. Reality: Evaluating Passwordless Claims from Security Vendors
Many security vendors – including CyberArk – have smartly introduced passwordless authentication for users accessing their own platforms. However, despite bold claims from some vendors, these technologies cannot replace all passwords, SSH keys and application secrets today.
Identity security leaders are focusing on reducing the core problem – compromised credentials – with modern access models that reduce the number of passwords in play, such as just-in-time (JIT) access. Some technologies create ephemeral accounts and certificates that are not exposed to the end user. Other vendors use agent-based elevation on specific servers, though in this case, the servers still have built-in passwords that must be securely managed.
For these reasons, it’s essential to carefully evaluate claims that any security vendor can deliver a state of passwordless nirvana. The reality is that for the foreseeable future, nearly all organizations will rely on a wide variety of human and machine identities that need passwords to authenticate, making it essential to take a defense-in-depth approach to identity security.
Five Intelligent Privilege Controls for A Passwordless World
Even if we eventually succeed in removing the need for password-based access, heightened controls will still be needed on the highest-risk privileged access. Here are several:
1. Least privilege access. By reducing permissions for identities that authenticate without passwords, organizations can reduce lateral and vertical movement and limit a breach’s ‘blast radius.’ Least privilege is an essential element for a Zero Trust identity security strategy.
2. Session isolation. A passwordless world would still be plagued by ransomware and other forms of malware. Using proxy servers and bastion hosts to isolate highly privileged sessions helps prevent malware-compromised devices from reaching enterprise resources.
3. Session audit and screen recording. Regardless of how compliance requirements may evolve beyond passwords, organizations will need to review high-risk user activity and investigate potential incidents. To maximize the efficiency of audits, organizations will need a central review of end user sessions across long-lived systems, cloud workloads and services and web apps.
4. ITDR. Although proactive efforts are being made to reduce passwords, security teams will still need to detect malicious or anomalous behavior that could signal in-progress attacks – especially on their identity infrastructure. ITDR capabilities from leading identity security vendors can use AI and machine learning to detect known indicators of malicious access while flagging incidents to the security operations center (SOC) for automatic response and remediation.
5. Access with zero standing privileges. Even without passwords, organizations must reduce post-authentication risk. Organizations can reduce the blast radius of an attack by removing standing privileges and instead creating and deleting specific entitlements for specific users and sessions. A true ZSP posture requires that permissions are created and assigned on the fly and removed after use, with granular control of crucial TEA (time/duration, entitlements, approval) settings.
Interested in learning more about how modern PAM programs secure IT, third-party and cloud operations teams? Register for our upcoming webinar.
Sam Flaster is a director of product marketing at CyberArk.
