Simple password combinations that users use for different application services are an enormous security risk for companies – that is well known. But even very complex passwords can be targeted by hackers and cracked by them. Two-factor authentication, which is already used in many companies to secure data, is considered to be significantly more secure. On the one hand, two-factor authentication is more secure than simply entering a password, but on the other hand it is also more time-consuming for users. Employees therefore find them not very user-friendly. For this reason, more and more IT experts are currently working on procedures that do not always require a password. To achieve this, they rely on the zero trust concept.
Zero Trust Requires Smart Policies
According to theguardian, to use the zero trust principle, it is necessary to define guidelines in advance. These determine in which case a user receives the requested access without additional authentication steps and in which case further steps are necessary to determine the identity. There are various authentication factors that are queried to evaluate the access request.
The devices used to play a central role. If it is a device managed by IT, there can generally be fewer hurdles when it comes to authentication. If the device is not managed, distrust is higher. The users themselves are also used as a factor: If a user is stored in the Active Directory for example, he is more trustworthy than an unknown user. A further factor is represented by individual application services and their origins: Does an application come from the company app store, the security of which is continuously checked by corporate IT? Or was the app downloaded from the device manufacturer’s app store? With the latter, there is an increased security risk, which is why additional authentication can be useful or necessary. Certificates that can be distributed to mobile devices and express a unique identity in the form of a key can also play a role in the guidelines.