When it comes to cybersecurity, the one thing most experts agree upon is that password-based access is no longer enough to protect an organization. All it takes is one person having their credentials stolen to put the entire company at risk. Certificate-based authentication (CBA) and multi-factor authentication (MFA) are two methodologies many businesses now use to protect their IT infrastructure and networks.
What is Certificate-Based Authentication?
This should focus on user authentication that is different from our PKIaaS validation of a device, see Certificate-based Authentication (Sun Java System Directory Server Enterprise Edition 6.3 Reference) (oracle.com)Certificate-based authentication (CBA) is a cryptographic technique where a machine (hardware token or device) use certificate keys to identify themselves to a resource. Whenever an end user initiates an access request, the endpoint generates two public and private keys. Both have a mathematical operation in common that’s hard to undo.The public key gets shared with any entity the user wishes to communicate with via a certificate. The electronic documents also contain information about the identity of the certificate owner. Every certificate comes from organizations called certificate authorities (CA) who confirm the identities of certificate requests.Below is an example of the chain of events that occur during CBA over a company network.
- A client attempts to connect with the organization’s network.
- The network checks to see if the digital certificate comes from a trusted CA.
- The network checks to see if the digital certificate is valid at the time of the request.
Once the network confirms the above, it checks the client’s private key and ensures it matches the public key. If it does, the user receives access to the resource.
What is Multi-Factor Authentication?
Multi-factor authentication requires that users provide at least two verification factors when requesting access to resources like an online account or business application. Standard pieces of information used as verification factors include one-time passcodes (OTP) sent to a user’s mobile device via email or SMS. These codes are generated based on users’ values when they register.Common pieces of information used as multi-factor authentication factors include:
- Known information like a PIN or password
- Something owned by a user, like a smartphone
- Things inherent to a user, like a fingerprint or voice recognition
Some companies use location-based authentication, where the user’s IP address or geographical location gets verified. Risk-based authentication, or adaptive authentication, accounts for context and behavior when reviewing an access request. The goal is to determine whether granting the request presents a risk to the organization.
- Where is the user when making the access request?
- What device is being used to make the request?
- Is the user trying to log in from a public or private network?
- Is the request being made at an unusual hour?
There are two major categories of MFA:
- Password or OTP reliant: As discussed above, authentication relies on a secondary password or PIN.
- Passwordless: Authentication relies on a token such as a YubiKey. Since passwords are not used, this is a more secure form of MFA.
What’s the Difference Between Certificate-Based vs. Multi-factor Authentication?
Multi-factor authentication (MFA) requires users to provide at least two types of verification factors before they are allowed access to resources like an online account. It’s a core component of identity and access management (IAM) policies at many top organizations.The primary benefit of MFA in cybersecurity is that it forces users to prove their identity beyond relying on a username and password. MFA prevents attempts by hackers to use brute force attacks, where they use automated programs to try different username and password combinations.While MFA offers an added security layer, it can still be overridden if an attacker has the right skills. CBA’s reliance on user certificates makes it more difficult for threat actors to capture credentials or insert hostile code into the authentication process. Distributing certificates to endpoints minimizes the need for manual entry of authorization information.
When Should You Use CBA vs. MFA?
CBA and MFA offer heightened security for validating a user’s identity versus relying solely on passwords. Many organizations use a combination of CBA, MFA, and passwords depending on the resource. Below are some best practices to follow if you are going to implement CFA or MFA within your organization.
CBA Best Practices
- Use reliable cryptography — Use cryptography algorithms approved by government bodies like the Commercial National Security Algorithm (CNSA) suite. You can also investigate libraries maintained by the cryptography community, like Open SSL and crypto++.
- Set up complete certificate verification — Certificates are dynamic and often expire by a specific date. They may contain attributes within subject fields or extensions that allow for creating a dynamic authentication model. Make sure your process reviews the complete certificate and accounts for additional details.
- Test the CBA — Put your CBA algorithms through different scenarios to ensure that the encryption can’t be bypassed by removing or altering specific identifiers.
- Have separate certificates for users and servers — Ensure that certificates come from a different CA than those issued for servers.
MFA Best Practices
- Consider your business needs — Think about the level of security needed at your company and the kind of technology in use. Use that information to come up with the factors you implement. For example, biometrics like a fingerprint might be a good option if your employees use mobile devices.
- Think about users — User error is often the biggest threat to authentication and security. You don’t want employees having to handle multiple pieces of information when logging into the system. They may end up using weaker passwords and not being as careful as they should be in protecting their credentials.
- Incorporate advanced verification — Use capabilities like live testing and advanced biometrics to prevent more sophisticated fraud attempts and improve confidence in system security.
- Go passwordless — MFA that leverages strong tokens provides strong security and maximizes end user convenience.
Leveraging CBA and MFA
CBA and MFA are not exclusive authentication approaches. In fact, CBA implementations can benefit from storing the certificate on a strong token such as a YubiKey or SmartCard and providing passwordless multi-factor authentication for end users as described above. In this case, the CBA architecture would benefit from passwordless, phishing-resistant MFA.
Frequently Asked Questions
- Is there a difference between CBA vs. MFA?
CBA uses Certificates installed on endpoints for user identification. MFA relies on users to provide specific information before granting access to a resource.
- Can you combine CBA and MFA?
Yes, you can use CBA and MFA authentication together to build up additional layers of cybersecurity around your organization.
Learn More
Axiad adds a unified passwordless, phishing-resistant MFA to the CBA approaches of multiple IAM vendors. Further, Axiad provides a critical capability - credential management at scale to help organizations migrate to Azure AD. To learn more, please visit our Certificate-Based Authentication for IAM page.