Passwordless Authentication in Air-Gapped Networks: A Q&A With Alejandro Lopresti, IDEMIA
There’s a common assumption that in air-gapped networks, the air gap (the separation of the network from the internet) is itself enough to keep the network secure. This assumption is wrong. Cybercriminals and nation-states have found ways to compromise networks even if they are not connected to the internet. Stuxnet is the most famous air gap specific attack, but today there are a variety of methods and tools that bad actors can use to penetrate air-gapped networks, including going after credentials as a gateway.
Moving to passwordless authentication is one way to shore up the security of air-gapped networks. But, this often can be easier said than done. We recently sat down with Alejandro Lopresti, client executive at IDEMIA, to discuss the challenges of achieving passwordless authentication in these unique environments. Here’s what he had to say:
“This is a pressure point for many organizations. Essentially, they are reduced to three main items:
The first one is the inability to access cloud services. These organizations have policies or regulations that prevent them to use any of these cloud solutions. Even though some of them could be FedRAMP certified, they are completely off the table for these organizations.
- The second one is how mobile phones are not permitted on critical infrastructure or air gapped infrastructure, even though it has been kind of the main tool for biometric matching, including facial recognition or fingerprint scans.
- The last one is the complexity of having to migrate to a large combination of legacy systems, many of them using native security protocols and having implemented users and monitoring applications that are, many times, managed by different departments.
This level of complexity has been a bit of a deterrent for many companies to move forward into a passwordless authentication on air-gapped environments and critical infrastructure.”
The Path to Passwordless
While there are a few challenges that organizations working in air-gapped environments face that traditional organizations don’t, it doesn’t mean they have to be left out of the passwordless future. Lopresti also discussed how the joint solution by Axiad and IDEMIA overcomes these challenges, saying it’s:
“The credential management, the self-service enrollment and the account recovery capabilities provided by Axiad from the recently launched passwordless authentication solution in combination with the IDEMIA PIV cards supporting FIPS 140-2 standards. These cards, beyond the physical access control capabilities, also provide FIDO standard capabilities on a dual applet implementation. So, when we combine these two solutions and provide a full service capability for these organizations, they’re able to reduce the complexity of a deployment, but at the same time cover all the different use cases on the physical and logical access control.”
The “recently launched passwordless authentication solution” Lopresti references is Axiad’s Passwordless for Air Gapped and Critical Environments offering, which brings passwordless authentication and end user self-service capabilities to air gapped and critical infrastructure environments that integrate Microsoft Security solutions. You can read more about it here. And, the “credential management, the self-service enrollment and the account recovery capabilities” he mentions are:
- Axiad AirLock, which provides help desk automation by eliminating temporary passwords and offers self-service credential enrollment.
- Axiad MyCircle, which provides self-service account recovery within a trusted circle of colleagues rather than waiting for the help desk to respond.
- Axiad MyIdentities, which enables self-service authenticator lifecycle management.
There’s a solution to every problem. For the roadblocks to passwordless in air-gapped networks, the answer is the joint solution from Axiad and IDEMIA. To learn more, visit: https://www.axiad.com/technology-partners/alliance-idemia/. To watch the full video interview with Lopresti, click here.