Insight by Duo Security

Authentication and authorization both due for major upgrade

Large organizations concerned with cybersecurity – and that’s all large organizations – are searching for and experimenting with options for user authentication and access. Specifically they’d like to get past the not-so-trusty password. The Defense Department has the additional goal of replacing the venerable common access card (CAC).

It’s not that the CAC doesn’t work. But it’s cumbersome and requires a lot of administration. More importantly, it inhibits mobile computing and use of cloud computing, two developments that both enable modern applications and infrastructure, and require up-to-date authentication and access techniques. Given the edgeless nature of modern networks, and the need to limit trust and access of both external and internal users, more and more IT leaders are recognizing the need to replace yesterday’s authentication and access.

The Case for Updating Authentication

Our users have increased expectations [for] better accessibility to their data, to their applications, and enhanced mobility for that access. And our cyber threats have not decreased. So today we have to take a more holistic strategy, to have an intentional purpose, that we are addressing these needs.

Distinct and Discreet Technologies

We have to make the security more transparent for the end user. If we make it difficult, they will inevitably find a way to get their jobs done regardless of what we do. We have to get more comfortable with technologies like FIDO [fast ID online]…and also to work with the cloud providers and how they’re deploying Secure Assertion Markup Language and OpenID.

Multi-Factor Authentication

We’re carrying around in our pocket these devices showing that at scale, some of these technologies work really well. So having that extra [authentication] factor is really important. CAC was two-factor, but sometimes depending on the platform was not exactly two-factor. So you might need something a little stronger that layers on top of that. Hardware tokens are useful at a higher authentication level or authorization level, but something as easy as push technology can be used for a lot of cases.

Listen to the full show: