Businessman using smart phone and finger touching security sign, business showing modern authentication and certificate-based authentication

Where Does Certificate-Based Authentication Fit Into Modern Authentication?

Making the transition to Modern Authentication is not without its challenges. As enterprises make the switch, it is important to understand why organizations find it challenging to modernize their authentication frameworks, how to build on existing PKI-based implementations, and how best to plan your Access Management strategy so that it can benefit both 2FA, adaptive authentication, and conditional access.

Out with the old – Why the need to transition?

Traditional authentication – usernames, passwords, IP addresses – was built for a time when there was a perimeter to defend. Now that identity is the new perimeter; new authentication methods are needed.

There are several problems with traditional authentication, which, once understood, will explain why it cannot scale to current needs. First, passwords are weak, mishandled, and frequently abused. 80% of hacking incidents occur with stolen or reused credentials, and research shows that nearly half of employees share passwords between work and private accounts. Despite heavy investments in anti-ransomware technologies, most compromises still occur due to poor identity and access management.

Additionally, legacy authentication methods promote burnout as you are required to log in across every app, service, and platform – and these days, we use it more than ever before. However, this extra work does not mean you’re safer – once inside, there are no customizable limits to what users can access. The static nature of password-based identity validation could give unnecessary permissions and privileges. And traditional MFA that relies on RADIUS, for example, often doesn’t meet the authentication needs of cloud-based apps that rely on SAML, OICD, and OAUTH.

Today we face the problem of enabling multiple user authentication journeys without disrupting the user experience. As Asaf Lerner, IAM Market Owner at Thales, says, ” The multitude of end devices, locations, applications, and roles means that a single user will likely need more than one way of accessing the range of apps they need throughout their day. The challenge now is to effectively support multiple user authentication journeys to achieve secure remote access, without burdening your end users.”

Authentication methods, such as FIDO, based on public-key cryptography, provide a solution to legacy-auth problems.

In with the new

To meet the challenges of today’s threat environment, methods like FIDO (Fast IDentity Online) and FIDO2 are quickly replacing traditional usernames and passwords. Here’s why:

  1. FIDO is based on public-key cryptography, so identities are encrypted – not open to simple brute-force attacks or guesses.
  2. FIDO protocols utilize biometrics, device-on-hand techniques, and location-based referencing to increase the user’s accuracy, identity, and security.
  3. FIDO2 provides a modern passwordless MFA experience that is resistant to account takeovers and phishing attacks while enabling compliance.
  4. FIDO2 enables users to continue using common devices, allowing fast and secure online authentication on both mobile and desktop environments.

So how do PKI-based Modern Authentication protocols (like FIDO or FIDO2) work? Through TLS encryption. The client’s device creates a new key pair when registering with an online service. The client device then signs a challenge to prove to the service that it has the private key (authentication). Then, the user must perform some secondary authentication gesture on the device (PIN, swipe, biometrics) for the client device to use its private key.

Switching to Modern Authentication methods solves the problems traditional authentication leaves behind. Encryption-based access gets rid of the insecurity of passwords. They eliminate login fatigue with time-saving protocols like SAML and OAuth that allow you to log in once and authenticate across multiple platforms. They allow you to enable multiple user authentication journeys across remote environments without overburdening your user, and the PKI-based methodology allows you to customize role-based access policies that enable privileged access management. There is no giving away secrets here. Strong user authentication ensures scalability through the cloud and enables continuous authentication across a user’s journey – start to finish.

Bridging the gap for a secure future

As you make the transition from your legacy environment, find someone that can help you bridge the gap. Good multi-factor authentication devices support multiple applications simultaneously with current and emerging protocols. With some, you can use one key that combines support for FIDO2, WebAuthn, U2F, and PKI to access both physical spaces and logical resources.

If your organization relies on PKI authentication, combined PKI-FIDO smart cards can give your agents a single sign-on point for legacy apps, cloud resources, and network domains. Or you can use a USB token to go passwordless, providing the third authentication factor (something you have) alongside something you know (PIN) and something you do (touch the token).

As your enterprise switches from perimeter-based to multi-cloud and hybrid, the necessary security transition will follow, although likely not all at once. Utilize combined methods while updating to certificate-based Modern Authentication methods to ensure safety that can scale while not compromising business continuity.


Director Product Marketing, Access Management & Authentication at Thales