Zero Passwords in a Zero Trust World

Authors

Doug Simmons – Principal Consulting Analyst

Sorell Slaymaker – Principal Consulting Analyst

Abstract

There is tremendous hype and interest in Zero Trust (ZT) and it is mostly deserved. The report examines how Zero Passwords, or password-less authentication can and should fit within this Zero Trust world.

With the accelerated deployment of mobile, cloud, IoT, and edge computing we see the blurring of the traditional secure perimeter boundary and the internal trusted network. The Zero Trust premise is that we should NOT trust a single user, device, thing, service, or application. Trust is something that is granted and reestablished/verified through Identity and Access Management (IAM) services designed to provide proper controls – beginning with authentication.

The challenge with Zero Trust authentication is that traditional authentication-via-passwords has been problematic. For higher value transactions in particular, the use of simple, relatively insecure, often recycled, easily guessed or stolen passwords are no longer good enough. One of the most sought-after pieces of personally identifiable information (PII) is a username and password; this is especially threatening when individuals reuse the same username/password combinations at multiple sites.  So, passwords are a problem.

This report starts by first defining what a ‘zero password’ strategy is, exploring the emerging approaches to achieving a zero-password state (including vendor/industry initiatives) and finally, offering enterprise guidance on how to successfully proceed towards a Zero Trust infrastructure utilizing this password-less paradigm.